Loading ...

Play interactive tourEdit tour

Analysis Report RFQ #46200058149.exe

Overview

General Information

Sample Name:RFQ #46200058149.exe
Analysis ID:383193
MD5:67b96dc502b0c7a496092d7e6d1da6c5
SHA1:a7c79eeaaafb23e8e40457cd5d44c61148cd1f5f
SHA256:ef5cb0bfe2d23b7a13b685f43dc9a100dac402023e11dce7991173bde63b298e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ #46200058149.exe (PID: 5340 cmdline: 'C:\Users\user\Desktop\RFQ #46200058149.exe' MD5: 67B96DC502B0C7A496092D7E6D1DA6C5)
    • cmd.exe (PID: 5912 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5504 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • RFQ #46200058149.exe (PID: 5972 cmdline: C:\Users\user\Desktop\RFQ #46200058149.exe MD5: 67B96DC502B0C7A496092D7E6D1DA6C5)
    • WerFault.exe (PID: 5416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x105d5:$x1: NanoCore.ClientPluginHost
  • 0x10612:$x2: IClientNetworkHost
  • 0x14145:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1033d:$a: NanoCore
    • 0x1034d:$a: NanoCore
    • 0x10581:$a: NanoCore
    • 0x10595:$a: NanoCore
    • 0x105d5:$a: NanoCore
    • 0x1039c:$b: ClientPlugin
    • 0x1059e:$b: ClientPlugin
    • 0x105de:$b: ClientPlugin
    • 0x104c3:$c: ProjectData
    • 0x10eca:$d: DESCrypto
    • 0x18896:$e: KeepAlive
    • 0x16884:$g: LogClientMessage
    • 0x12a7f:$i: get_Connected
    • 0x11200:$j: #=q
    • 0x11230:$j: #=q
    • 0x1124c:$j: #=q
    • 0x1127c:$j: #=q
    • 0x11298:$j: #=q
    • 0x112b4:$j: #=q
    • 0x112e4:$j: #=q
    • 0x11300:$j: #=q
    00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x223f5:$x1: NanoCore.ClientPluginHost
    • 0x55015:$x1: NanoCore.ClientPluginHost
    • 0x22432:$x2: IClientNetworkHost
    • 0x55052:$x2: IClientNetworkHost
    • 0x25f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x58b85:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.RFQ #46200058149.exe.505e448.10.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.RFQ #46200058149.exe.505e448.10.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.RFQ #46200058149.exe.505e448.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RFQ #46200058149.exe, ProcessId: 5972, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORY
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPE
        Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.5:49699 version: TLS 1.0
        Source: RFQ #46200058149.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: dhcpcsvc.pdb$ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb3y source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb* source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdbR source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb? source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptnet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: RFQ #46200058149.PDBTwB source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdbn source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: jVisualBasic.pdb,+K source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdbF source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdbD source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdbZ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdbX source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: webio.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\RFQ #46200058149.PDB/ source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdbL source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.pdb?W source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: urlmon.pdbh source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb> source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: schannel.pdb^ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3#l source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdb-3853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler source: RFQ #46200058149.exe, 00000007.00000003.425042337.00000000064DB000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdbl source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: .pdb, source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wUxTheme.pdbt source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb8 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbf source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdb=R source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb* source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb@ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb` source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb0 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InprocServer32 source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdbz source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49700 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49701 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49708 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49711 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49745 -> 45.15.143.169:5353
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 45.15.143.169:5353
        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
        Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.5:49699 version: TLS 1.0
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.143.169
        Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
        Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
        Source: RFQ #46200058149.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: RFQ #46200058149.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: RFQ #46200058149.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: RFQ #46200058149.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: RFQ #46200058149.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
        Source: RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
        Source: WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
        Source: RFQ #46200058149.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: RFQ #46200058149.exe, 00000000.00000002.296584123.00000000032E4000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ded/script.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
        Source: RFQ #46200058149.exe, 00000000.00000002.296563326.00000000032CF000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
        Source: RFQ #46200058149.exe, 00000000.00000002.296563326.00000000032CF000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://quantcast.mgr.consensu.org
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
        Source: RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com
        Source: RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
        Source: RFQ #46200058149.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
        Source: RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
        Source: RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORY
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2672
        Source: RFQ #46200058149.exeStatic PE information: invalid certificate
        Source: RFQ #46200058149.exeBinary or memory string: OriginalFilename vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.296161892.00000000018D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.293497076.0000000000EA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.306600775.0000000008990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.296131286.00000000018A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.301229918.0000000004F52000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.303465347.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.296215366.00000000018F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.296012696.0000000001700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGPvY NLF.exe2 vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.307045747.0000000008B60000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.306403675.00000000076C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000000.00000002.306403675.00000000076C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000007.00000003.249307167.0000000000DB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exe, 00000007.00000000.238080626.0000000000642000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameL vs RFQ #46200058149.exe
        Source: RFQ #46200058149.exeBinary or memory string: OriginalFilenameL vs RFQ #46200058149.exe
        Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal88.troj.evad.winEXE@9/11@2/3
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile created: C:\Users\user\AppData\Local\?????????????????????????Jump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c0340967-aec0-4bf6-856f-1aecda114896}
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FCE.tmpJump to behavior
        Source: RFQ #46200058149.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile read: C:\Users\user\Desktop\RFQ #46200058149.exe:Zone.IdentifierJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\RFQ #46200058149.exe 'C:\Users\user\Desktop\RFQ #46200058149.exe'
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Users\user\Desktop\RFQ #46200058149.exe C:\Users\user\Desktop\RFQ #46200058149.exe
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2672
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Users\user\Desktop\RFQ #46200058149.exe C:\Users\user\Desktop\RFQ #46200058149.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: RFQ #46200058149.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: RFQ #46200058149.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: dhcpcsvc.pdb$ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb3y source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb* source: RFQ #46200058149.exe, 00000000.00000002.301989509.0000000005979000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdbR source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: ml.pdb? source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: mskeyprotect.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptnet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: RFQ #46200058149.PDBTwB source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.302123092.00000000059FC000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdbn source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: jVisualBasic.pdb,+K source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdbF source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdbD source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdbZ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdbX source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: webio.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: C:\Users\user\Desktop\RFQ #46200058149.PDB/ source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdbL source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.pdb?W source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscorlib.pdb source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RFQ #46200058149.exe, 00000007.00000003.443708855.00000000064D5000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.247025053.00000000035A1000.00000004.00000001.sdmp
        Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: urlmon.pdbh source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: secur32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.259007833.00000000059A0000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb> source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: schannel.pdb^ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.ni.pdbT3#l source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdbRSDSD source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdb-3853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler source: RFQ #46200058149.exe, 00000007.00000003.425042337.00000000064DB000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdbl source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: .pdb, source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wUxTheme.pdbt source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: RFQ #46200058149.exe, 00000000.00000002.293636749.00000000012F8000.00000004.00000010.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb8 source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: iphlpapi.pdbf source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: comctl32v582.pdb=R source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb* source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb@ source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.247731524.0000000003595000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb` source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdbRSDS source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: cabinet.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: Microsoft.VisualBasic.pdb0 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InprocServer32 source: RFQ #46200058149.exe, 00000000.00000002.301971445.0000000005960000.00000004.00000001.sdmp
        Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: nsi.pdb=[ source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: onfiguration.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.258734874.000000000581E000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.258748661.0000000005803000.00000004.00000001.sdmp
        Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.247492157.00000000035A7000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdbz source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.293261949.0000000005AE0000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8 source: WER5FCE.tmp.dmp.11.dr
        Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: System.Configuration.ni.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.Xml.pdb8S source: WerFault.exe, 0000000B.00000003.258677475.0000000005801000.00000004.00000001.sdmp
        Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp, WER5FCE.tmp.dmp.11.dr
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.258514359.00000000059A8000.00000004.00000040.sdmp
        Source: Binary string: edputil.pdb source: WerFault.exe, 0000000B.00000003.258477287.00000000059AE000.00000004.00000040.sdmp
        Source: RFQ #46200058149.exeStatic PE information: 0xB5100D24 [Mon Apr 5 21:20:36 2066 UTC]

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile opened: C:\Users\user\Desktop\RFQ #46200058149.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWindow / User API: threadDelayed 5436
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWindow / User API: threadDelayed 3942
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWindow / User API: foregroundWindowGot 651
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWindow / User API: foregroundWindowGot 762
        Source: C:\Users\user\Desktop\RFQ #46200058149.exe TID: 2268Thread sleep time: -30000s >= -30000s
        Source: C:\Users\user\Desktop\RFQ #46200058149.exe TID: 576Thread sleep time: -8301034833169293s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread delayed: delay time: 922337203685477
        Source: RFQ #46200058149.exe, 00000000.00000002.303465347.00000000061E0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.292803664.0000000005570000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RFQ #46200058149.exe, 00000000.00000003.239094814.000000000599C000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.288279848.00000000035AB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: WerFault.exe, 0000000B.00000002.292789920.0000000005447000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
        Source: RFQ #46200058149.exe, 00000000.00000002.303465347.00000000061E0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.292803664.0000000005570000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RFQ #46200058149.exe, 00000000.00000002.303465347.00000000061E0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.292803664.0000000005570000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RFQ #46200058149.exe, 00000000.00000003.239094814.000000000599C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8bQ
        Source: RFQ #46200058149.exe, 00000000.00000002.303465347.00000000061E0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.292803664.0000000005570000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeThread information set: HideFromDebugger
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeProcess created: C:\Users\user\Desktop\RFQ #46200058149.exe C:\Users\user\Desktop\RFQ #46200058149.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Users\user\Desktop\RFQ #46200058149.exe VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Users\user\Desktop\RFQ #46200058149.exe VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RFQ #46200058149.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORY
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: RFQ #46200058149.exe, 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RFQ #46200058149.exe, 00000007.00000003.249307167.0000000000DB1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RFQ #46200058149.exe PID: 5340, type: MEMORY
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RFQ #46200058149.exe.505e448.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.RFQ #46200058149.exe.5091268.0.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
        https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
        https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
        https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
        https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
        https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
        https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
        https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
        https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
        https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.0%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-12737166900%URL Reputationsafe
        https://s2-prod.liverpool.com0%URL Reputationsafe
        https://s2-prod.liverpool.com0%URL Reputationsafe
        https://s2-prod.liverpool.com0%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
        https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-199458160%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-12313538370%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-12313538370%URL Reputationsafe
        https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-12313538370%URL Reputationsafe
        https://i2-prod.liverpool.com0%URL Reputationsafe
        https://i2-prod.liverpool.com0%URL Reputationsafe
        https://i2-prod.liverpool.com0%URL Reputationsafe
        https://felix.data.tm-awx.com/felix.min.js0%URL Reputationsafe
        https://felix.data.tm-awx.com/felix.min.js0%URL Reputationsafe
        https://felix.data.tm-awx.com/felix.min.js0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        myliverpoolnews.cf
        172.67.150.212
        truefalse
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.htmlfalse
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
            high
            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
              high
              https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://c.amazon-adsystem.com/aax2/apstag.jsRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                high
                https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                  high
                  https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                      high
                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                        high
                        https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://www.liverpool.com/all-about/premier-leagueRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://www.liverpool.com/liverpool-fc-news/RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                          high
                          https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                            high
                            https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                              high
                              https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                                high
                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://reachplc.hub.loginradius.com&quot;RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                low
                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://s2-prod.liverpool.comRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.comRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://felix.data.tm-awx.com/felix.min.jsRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/all-about/ozan-kabakRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://s2-prod.mirror.co.uk/RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-RFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/all-about/champions-leagueRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/all-about/curtis-jonesRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/all-about/steven-gerrardRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://schema.org/NewsArticleRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                  high
                                  https://www.liverpool.com/schedule/RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://schema.org/BreadcrumbListRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                    high
                                    https://securepubads.g.doubleclick.net/tag/js/gpt.jsRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      high
                                      https://s2-prod.liverpool.com/RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://felix.data.tm-awx.com/ampconfig.json&quot;RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000B.00000003.256378861.0000000005B20000.00000004.00000001.sdmpfalse
                                        high
                                        https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmp, RFQ #46200058149.exe, 00000000.00000002.296661281.00000000032FE000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://schema.org/ListItemRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          high
                                          https://www.liverpool.com/all-about/georginio-wijnaldumRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://myliverpoolnews.cf4RFQ #46200058149.exe, 00000000.00000002.296563326.00000000032CF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://mab.data.tm-awx.com/rhs&quot;RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://felix.data.tm-awx.comRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.liverpool.com/all-about/andrew-robertsonRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.liverpool.com/RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://myliverpoolnews.cfRFQ #46200058149.exe, 00000000.00000002.296513368.0000000003291000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.liverpool.com/all-about/transfersRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpgRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://reach-id.orbit.tm-awx.com/analytics.js.gzRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://github.com/ded/script.jsRFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                            high
                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868RFQ #46200058149.exe, 00000000.00000003.225747726.0000000004479000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            45.15.143.169
                                            unknownLatvia
                                            35913DEDIPATH-LLCUStrue
                                            172.67.150.212
                                            myliverpoolnews.cfUnited States
                                            13335CLOUDFLARENETUSfalse

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:383193
                                            Start date:07.04.2021
                                            Start time:13:01:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 9s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:RFQ #46200058149.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:33
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal88.troj.evad.winEXE@9/11@2/3
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 76.9% (good quality ratio 52.3%)
                                            • Quality average: 31.8%
                                            • Quality standard deviation: 22%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 20.50.102.62, 23.54.113.53, 23.0.174.200, 23.0.174.185, 95.100.54.203, 104.42.151.234, 104.43.193.48, 13.88.21.125, 23.10.249.26, 23.10.249.43, 20.54.26.129
                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            13:02:05API Interceptor1015x Sleep call for process: RFQ #46200058149.exe modified
                                            13:02:36API Interceptor1x Sleep call for process: WerFault.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            172.67.150.212Payment Slip E05060_47.docGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3764A540BD56887B40989BBA8472B701.html
                                            New Orders.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-28D56F639751140E7A008217BE126C8D.html
                                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html
                                            BL8846545545363.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B7B18D8B53846C51E3D2182818196100.html
                                            BL84995005038483.exeGet hashmaliciousBrowse
                                            • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-994F3BB06F4A7FE8F60B83F74A076F10.html

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            myliverpoolnews.cfPayment Slip E05060_47.docGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            New Orders.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            BL836477488575.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL8846545545363.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            VMtEguRH.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            BL84995005038483.exeGet hashmaliciousBrowse
                                            • 172.67.150.212

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            DEDIPATH-LLCUSLM_QUOTE757860PDF.exeGet hashmaliciousBrowse
                                            • 45.15.143.178
                                            PO_4000010871_RFQ_PRS_1000024753_RM.exeGet hashmaliciousBrowse
                                            • 213.59.118.134
                                            OBJEDNAT.scr.exeGet hashmaliciousBrowse
                                            • 45.144.225.107
                                            QFSN0331PDF.exeGet hashmaliciousBrowse
                                            • 45.144.225.66
                                            GBNv7C8xNt.exeGet hashmaliciousBrowse
                                            • 45.144.225.167
                                            SWIFTCOPY_110255293303484_SANTANDER.docGet hashmaliciousBrowse
                                            • 45.144.225.167
                                            receiptpdf.exeGet hashmaliciousBrowse
                                            • 74.201.28.50
                                            4FNTlzlu10.exeGet hashmaliciousBrowse
                                            • 45.133.1.139
                                            7Q1bVVkIIL.exeGet hashmaliciousBrowse
                                            • 45.133.1.139
                                            GMC77273992277382993PDF.exeGet hashmaliciousBrowse
                                            • 45.133.1.59
                                            ajESKcIz8f.exeGet hashmaliciousBrowse
                                            • 45.133.1.139
                                            7ua1kNyteq.exeGet hashmaliciousBrowse
                                            • 45.144.225.66
                                            mHL0xKXQHT.exeGet hashmaliciousBrowse
                                            • 74.201.28.35
                                            receiptpdf.exeGet hashmaliciousBrowse
                                            • 74.201.28.35
                                            QGFG0322PDF.exeGet hashmaliciousBrowse
                                            • 45.144.225.66
                                            h6uc8EaDQX.exeGet hashmaliciousBrowse
                                            • 74.201.28.35
                                            9MyoOYNXKe.exeGet hashmaliciousBrowse
                                            • 103.124.106.203
                                            iz8AtqlQeh.exeGet hashmaliciousBrowse
                                            • 103.124.106.203
                                            dd7211d8c5d8b0e6290b9eb79787d64b73a91bde129cc.exeGet hashmaliciousBrowse
                                            • 103.124.106.203
                                            862e41d1ddfa72722af62eb35aac11970ed21b6a7f01c.exeGet hashmaliciousBrowse
                                            • 103.124.106.203
                                            CLOUDFLARENETUSInvoice,PDF.exe.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            606d810b8ff92.pdf.dllGet hashmaliciousBrowse
                                            • 104.20.185.68
                                            Lista e porosive te blerjes.exeGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            testfile_load.docmGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            testfile_load.docmGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            testfile_load.docmGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            syscshost.dllGet hashmaliciousBrowse
                                            • 104.20.185.68
                                            invoice.exeGet hashmaliciousBrowse
                                            • 172.67.160.234
                                            syscshost.dllGet hashmaliciousBrowse
                                            • 104.20.184.68
                                            Payment Slip E05060_47.docGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            New Orders.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            payment.exeGet hashmaliciousBrowse
                                            • 104.21.48.97
                                            BL836477488575.exeGet hashmaliciousBrowse
                                            • 104.21.56.119
                                            RFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                            • 172.65.227.72
                                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            DHL_document11022020680908911.doc.exeGet hashmaliciousBrowse
                                            • 104.21.15.11
                                            Confirmation_(#1422) DEKRA order,pdf.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            BL8846545545363.exeGet hashmaliciousBrowse
                                            • 172.67.150.212

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            54328bd36c14bd82ddaa0c04b25ed9adInvoice,PDF.exe.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            testfile_load.docmGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            New Orders.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL836477488575.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Confirmation_(#1422) DEKRA order,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL8846545545363.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            ATTACHED.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            Urgent RFQ_AP65425652_040621,pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            OVERVIEW .pdf.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            PURCHASE ORDER - XIFFA55.PDF.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            doc20192910887888001990.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            BL84995005038483.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            ATTACHED.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            ej 9999999.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            DHL FINAL REMINDER PDF.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            WSU0LJSL.exeGet hashmaliciousBrowse
                                            • 172.67.150.212
                                            RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                            • 172.67.150.212

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_RFQ #46200058149_b4d3e1611dc98a70f1fcdf76f5b66818af29bc_427b5a83_156ea880\Report.wer
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):17670
                                            Entropy (8bit):3.7667567847033796
                                            Encrypted:false
                                            SSDEEP:192:EsusamHBUZMXiaKswHQ7V+N/u7sKS274ItEj:nusLBUZMXiafVq/u7sKX4ItEj
                                            MD5:5888DFCFA3A345C6C0ED4A4C0AE3669C
                                            SHA1:9AE3573BD8339DFCB3A0A4D80B83E1A4322B583B
                                            SHA-256:5AC91C9A6D9D61265AA99FB8ABDAA7E5A03519AE22E2281846A86B1DAEF0E972
                                            SHA-512:1F2FAB5B222A3042E060E51101468BDD0FAA0EB429A87D44A346AD901A15ECC10D6A64D19047D7A7658ECC4CBD15DF438ADBB2C26F94AE86968C6008D4FE91E0
                                            Malicious:false
                                            Reputation:low
                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.2.9.9.3.3.7.9.6.1.2.1.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.2.9.9.3.4.6.9.6.1.2.0.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.7.d.2.4.8.2.-.c.6.b.e.-.4.2.f.f.-.a.f.b.4.-.f.7.d.5.5.8.4.4.7.6.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.6.6.5.7.b.4.-.9.3.f.7.-.4.a.3.d.-.9.0.4.0.-.c.4.8.d.6.9.8.a.e.2.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.F.Q. .#.4.6.2.0.0.0.5.8.1.4.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.d.c.-.0.0.0.1.-.0.0.1.6.-.1.4.9.0.-.2.d.e.1.e.8.2.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.0.f.9.2.6.1.f.e.0.9.3.f.0.9.6.7.f.4.0.3.5.d.3.c.4.e.d.3.d.a.f.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.c.7.9.e.e.a.a.a.f.b.2.3.e.8.e.4.0.4.5.7.c.d.5.d.4.4.c.6.1.1.4.8.c.d.1.f.5.f.!.R.F.Q. .#.4.6.2.0.0.0.5.8.1.4.9...
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5FCE.tmp.dmp
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Mini DuMP crash report, 15 streams, Wed Apr 7 20:02:21 2021, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):340719
                                            Entropy (8bit):3.5620041721378817
                                            Encrypted:false
                                            SSDEEP:3072:6HZoYCbg0Sjd+pMQb2jJy3ykjL9gIOgF5iH770E2UCgURsv46cSvg:65B0/pMQCjJyL9RpDu77aTjC4PS4
                                            MD5:69DDCB125A35756BE7455B158AC8DAF4
                                            SHA1:6600B884D4998A872C19A9769B0BD0CDB0DC64CB
                                            SHA-256:477F80FAED13F4DEC72F161D5EC9137D9B9180711A4263F60F3829E0B40106D9
                                            SHA-512:EDB6FE968D7448ED4FB8E46679B9FA0454E8B7DB4502B5830A550FECBAB0E46C44E2359F04A8B5D756713E82F2C96031EEE5D58F53023C01D07058D7C9752694
                                            Malicious:false
                                            Reputation:low
                                            Preview: MDMP....... .........n`...................U...........B......t2......GenuineIntelW...........T.............n`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7357.tmp.WERInternalMetadata.xml
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8446
                                            Entropy (8bit):3.699510585522676
                                            Encrypted:false
                                            SSDEEP:192:Rrl7r3GLNiEB68W6YI+SUzWgmfZjS8CprS389bpGIsf0jm:RrlsNi6616YxSUzWgmfdS2opG7ft
                                            MD5:BAF97A62AF5099FE2DB41A84129D1031
                                            SHA1:6006C7931A377B8CEFE399C665BD77BCEC0A76DB
                                            SHA-256:7BC029A886D38196F155DD4139935F106538DFF03AE26962923E58BC9C0CC269
                                            SHA-512:29E433A564A995800226574893BF52051246A32FDD2BDB65D44D090761ED2B83707A35C7B45671230B0947BB47E4D66C3C73B16334DAF296890F760D2B45F029
                                            Malicious:false
                                            Reputation:low
                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.4.0.<./.P.i.d.>.......
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER758B.tmp.xml
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4731
                                            Entropy (8bit):4.482281240674152
                                            Encrypted:false
                                            SSDEEP:48:cvIwSD8zstJgtWI9k6WSC8BP8fm8M4JIedFFxd2+q8vCdt82t0tFd:uITfHL7SNGJIePd2KCb82t0tFd
                                            MD5:1E1EC12AA951A86B2FA813C6E3F36375
                                            SHA1:1C0AD65B2C7E1E0FE56CDFE10D1D1FA09E575407
                                            SHA-256:6A4987CE144499CF985F971C29CCB1E12F8C7BB2F4DE3FBE050A727145DF8227
                                            SHA-512:E062A1BED8B9CEA071C707D1EB055CF13DE1E9534CDF66A66A0FD955CCC37BEF516CA84E6DA2421260FD25338E4C9B32697493CFF9D081553136D97142DCA500
                                            Malicious:false
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="936313" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                            Category:dropped
                                            Size (bytes):58596
                                            Entropy (8bit):7.995478615012125
                                            Encrypted:true
                                            SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                            MD5:61A03D15CF62612F50B74867090DBE79
                                            SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                            SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                            SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):326
                                            Entropy (8bit):3.1292511123011737
                                            Encrypted:false
                                            SSDEEP:6:kKPekO/kwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:nekO/kwTJrkPlE99SNxAhUe0ht
                                            MD5:566306A7B32BC696CCCB0443B513A4B5
                                            SHA1:769810CD8F1F25E0FAD2CF6221B42918FA6B1972
                                            SHA-256:06DFE7E16529D27A6405F5D9DBAC3B31AB779717365A0EFD53CA64C413191525
                                            SHA-512:34C0BED6B312B088C44E7DAF4CA80B0DBAF2162E4838536663F1DA5E944B21AB49D820F04CF26024D67CDFA8228BA7273CE592A4CA09A68455E6028CF1F4AE41
                                            Malicious:false
                                            Reputation:low
                                            Preview: p...... .............+..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                            C:\Users\user\AppData\Local\?????????????????????????\RFQ_#46200058149.exe_Url_ctkhc4ktipcqngjefh42yihypvjrfm5z\3.371.288.95\a3kbdic0.newcfg
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):945388
                                            Entropy (8bit):3.114389457588161
                                            Encrypted:false
                                            SSDEEP:12288:67bFG6l5E7Vf8aHI8gbSzj4Dhnnp04aHLlw9FuU/y3gZWa1upW35rhlQTK38Fc1d:sPGp+Ho+g2ES
                                            MD5:1B71DDAEDCDCF1617179B1495973F5A7
                                            SHA1:AB9175FA1026C6A2464B34B7A920E5934280539E
                                            SHA-256:27839F3489FDCF1E603F4AF3997C1FE53C05F1E45E50119EBE14F090C53DD9A3
                                            SHA-512:C0C5B70CC395614F754C115F96ACF48DECA3773AE83EDC8A211D88BB8BD1D8D214F814777E643A43448AA071A92D3D72161D1938613CC43F44B2A756C86255FA
                                            Malicious:false
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name=".........................._x148A__x1484__x1475__x147F__x148A__x1487__x1483__x1469__x1462__x1455__x1454__x1453__x1456__x145F__x1461__x1469__x1484__x146B__x1453__x1462__x1488__x145D__x1456__x1487__x147A__x147C__x1457__x1460__x1480__x1462__x1466__x1479__x147C__x1453__x147A__x148B__x147B__x1467__x1481__x1475__x1474__x148B__x145A__x1489__x1459__x147D_" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. </sectionGroup>.. </configSections>.. <userSettings>.. <...................
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1856
                                            Entropy (8bit):7.024371743172393
                                            Encrypted:false
                                            SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                            MD5:838CD9DBC78EA45A5406EAE23962086D
                                            SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                                            SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                                            SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                                            Malicious:false
                                            Reputation:low
                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:EP:0
                                            MD5:AB92503DEE5748FC157D27383948CF90
                                            SHA1:0862273CB0A15EBF25A202CB5133CFD7AC3CA046
                                            SHA-256:BACCF15FA5F39978F57BB22FF66B9891401442DA29DD4E3B3E2C70E4B762F76C
                                            SHA-512:B58988E01FEF2E02B80268A13FC03086508BA297FD77B8BB592E7924812321B8982E0FF05D19C70B60A48B31A6DD11C7B7A935FD27F66610FBE690DBAF24E16C
                                            Malicious:true
                                            Reputation:low
                                            Preview: 3.s....H
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):40
                                            Entropy (8bit):5.221928094887364
                                            Encrypted:false
                                            SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                            MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                            SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                            SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                            SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                            Malicious:false
                                            Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                            Process:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):327432
                                            Entropy (8bit):7.99938831605763
                                            Encrypted:true
                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                            Malicious:false
                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.914857977057756
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:RFQ #46200058149.exe
                                            File size:55488
                                            MD5:67b96dc502b0c7a496092d7e6d1da6c5
                                            SHA1:a7c79eeaaafb23e8e40457cd5d44c61148cd1f5f
                                            SHA256:ef5cb0bfe2d23b7a13b685f43dc9a100dac402023e11dce7991173bde63b298e
                                            SHA512:56ea1e779902e8a51de0d20f5d4ea3a4d4e5a441e166668fadfbc25bd14715b388296f7d9d44b01499001d71612a73e858c0d0ad8d1fd473e3843169e8f60aab
                                            SSDEEP:768:b/LA9K0Ubu5O9ooy+bwEbcpo31EKGSBAmoSOh:bzIKS5uAmoS
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$............."...0.............>.... ........@.. ....................... ......I7....@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x40d53e
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0xB5100D24 [Mon Apr 5 21:20:36 2066 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:C=cJGypErFTYiIKZrVRPaZESbD, S=YzrefMybHjDaqHbkToqPfxOqnUOifyYQU, L=GrmKqYXcIpqu, T=lhjOxKoqQZNoFhwaegDYkMfihogoajYDuqQHU, E=TjleyVAYSBdZejEgZMvkyncOeuPXZHOXQXVxRYDxHdW, OU=NljTHpvqDvYN, O=vXrtPKPHdcshcP, CN=DgYLGpwPLUvEHXHFAFtskroWZlsMsMtPTwOYljdPOsBdPanwm
                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                            Error Number:-2146762487
                                            Not Before, Not After
                                            • 4/7/2021 3:24:46 AM 4/7/2022 3:24:46 AM
                                            Subject Chain
                                            • C=cJGypErFTYiIKZrVRPaZESbD, S=YzrefMybHjDaqHbkToqPfxOqnUOifyYQU, L=GrmKqYXcIpqu, T=lhjOxKoqQZNoFhwaegDYkMfihogoajYDuqQHU, E=TjleyVAYSBdZejEgZMvkyncOeuPXZHOXQXVxRYDxHdW, OU=NljTHpvqDvYN, O=vXrtPKPHdcshcP, CN=DgYLGpwPLUvEHXHFAFtskroWZlsMsMtPTwOYljdPOsBdPanwm
                                            Version:3
                                            Thumbprint MD5:FB6C7A2D94E91E9FF30697013C5B69D5
                                            Thumbprint SHA-1:FE02D73BF104783555975688A868009D5570EB73
                                            Thumbprint SHA-256:BF63495CB82B667811FF374D33F61D640122D1FF75F5B9C359536F194FF72F44
                                            Serial:00F3D510D4C10F5E02E90D4C9AB74AC201

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd4f00x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x81c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xc4000x14c0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb5440xb600False0.184495192308data5.49483421273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xe0000x81c0xa00False0.30546875data5.05547520825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0xe0a00x590dataEnglishUnited States
                                            RT_MANIFEST0xe6300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            LegalCopyrightAll Rights Reserved
                                            Assembly Version1.628.632.750
                                            InternalName.exe
                                            FileVersion1.628.632.750
                                            CompanyName Inc.
                                            LegalTrademarks
                                            Comments
                                            ProductName
                                            ProductVersion1.628.632.750
                                            FileDescription
                                            OriginalFilename.exe
                                            Translation0x0000 0x0514

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            04/07/21-13:02:17.171046TCP2025019ET TROJAN Possible NanoCore C2 60B497005353192.168.2.545.15.143.169
                                            04/07/21-13:02:23.616130TCP2025019ET TROJAN Possible NanoCore C2 60B497015353192.168.2.545.15.143.169
                                            04/07/21-13:02:29.609043TCP2025019ET TROJAN Possible NanoCore C2 60B497085353192.168.2.545.15.143.169
                                            04/07/21-13:02:35.662373TCP2025019ET TROJAN Possible NanoCore C2 60B497115353192.168.2.545.15.143.169
                                            04/07/21-13:02:43.025136TCP2025019ET TROJAN Possible NanoCore C2 60B497175353192.168.2.545.15.143.169
                                            04/07/21-13:02:48.990683TCP2025019ET TROJAN Possible NanoCore C2 60B497215353192.168.2.545.15.143.169
                                            04/07/21-13:02:55.031007TCP2025019ET TROJAN Possible NanoCore C2 60B497245353192.168.2.545.15.143.169
                                            04/07/21-13:03:01.040878TCP2025019ET TROJAN Possible NanoCore C2 60B497255353192.168.2.545.15.143.169
                                            04/07/21-13:03:06.089379TCP2025019ET TROJAN Possible NanoCore C2 60B497275353192.168.2.545.15.143.169
                                            04/07/21-13:03:12.226347TCP2025019ET TROJAN Possible NanoCore C2 60B497285353192.168.2.545.15.143.169
                                            04/07/21-13:03:18.456156TCP2025019ET TROJAN Possible NanoCore C2 60B497315353192.168.2.545.15.143.169
                                            04/07/21-13:03:25.504170TCP2025019ET TROJAN Possible NanoCore C2 60B497375353192.168.2.545.15.143.169
                                            04/07/21-13:03:32.502954TCP2025019ET TROJAN Possible NanoCore C2 60B497385353192.168.2.545.15.143.169
                                            04/07/21-13:03:38.477187TCP2025019ET TROJAN Possible NanoCore C2 60B497395353192.168.2.545.15.143.169
                                            04/07/21-13:03:44.674403TCP2025019ET TROJAN Possible NanoCore C2 60B497405353192.168.2.545.15.143.169
                                            04/07/21-13:03:51.574841TCP2025019ET TROJAN Possible NanoCore C2 60B497415353192.168.2.545.15.143.169
                                            04/07/21-13:03:57.560887TCP2025019ET TROJAN Possible NanoCore C2 60B497445353192.168.2.545.15.143.169
                                            04/07/21-13:04:03.546218TCP2025019ET TROJAN Possible NanoCore C2 60B497455353192.168.2.545.15.143.169
                                            04/07/21-13:04:08.527094TCP2025019ET TROJAN Possible NanoCore C2 60B497465353192.168.2.545.15.143.169

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 7, 2021 13:02:06.561278105 CEST4969880192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.589848042 CEST8049698172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.590656042 CEST4969880192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.590687990 CEST4969880192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.620342016 CEST8049698172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.633188009 CEST8049698172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.661340952 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.677747965 CEST4969880192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.690354109 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.691577911 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.700535059 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.729173899 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.740087986 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.740125895 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.740264893 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.748444080 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.777738094 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.778348923 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:06.822460890 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:06.852838993 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042640924 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042685986 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042733908 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042764902 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042777061 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.042802095 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042823076 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.042829037 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042866945 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042891979 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042902946 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.042927980 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042954922 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.042977095 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.043055058 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.043085098 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.043118954 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.043158054 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.289462090 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.289509058 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.289546967 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.289594889 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.289645910 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.289710999 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.289978981 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.290029049 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.290122032 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.290605068 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.290741920 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.290843010 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.291336060 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.291750908 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.291874886 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.291970015 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.292062998 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.292784929 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.292829037 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.292937994 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.292973995 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.293483019 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.293526888 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.293617010 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.294059992 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.294224977 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.294698954 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.294738054 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.294794083 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.294872046 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.295423985 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.295464039 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.295536041 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.296227932 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.296269894 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.296910048 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.296947956 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.296983004 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.297379971 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.297568083 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.297609091 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.298372984 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.298384905 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.298559904 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.299046040 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.299089909 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.299161911 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.300101042 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.300188065 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.300283909 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.300322056 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.300405025 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.301075935 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.301115036 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.301153898 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.301175117 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.318403959 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.318449974 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.318486929 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.318526983 CEST44349699172.67.150.212192.168.2.5
                                            Apr 7, 2021 13:02:07.318571091 CEST49699443192.168.2.5172.67.150.212
                                            Apr 7, 2021 13:02:07.318598986 CEST49699443192.168.2.5172.67.150.212

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 7, 2021 13:01:57.666064024 CEST5430253192.168.2.58.8.8.8
                                            Apr 7, 2021 13:01:57.699048042 CEST53543028.8.8.8192.168.2.5
                                            Apr 7, 2021 13:01:57.835232973 CEST5378453192.168.2.58.8.8.8
                                            Apr 7, 2021 13:01:57.848604918 CEST53537848.8.8.8192.168.2.5
                                            Apr 7, 2021 13:01:57.870088100 CEST6530753192.168.2.58.8.8.8
                                            Apr 7, 2021 13:01:57.884546041 CEST53653078.8.8.8192.168.2.5
                                            Apr 7, 2021 13:01:58.216387033 CEST6434453192.168.2.58.8.8.8
                                            Apr 7, 2021 13:01:58.242887020 CEST53643448.8.8.8192.168.2.5
                                            Apr 7, 2021 13:01:59.915389061 CEST6206053192.168.2.58.8.8.8
                                            Apr 7, 2021 13:01:59.940996885 CEST53620608.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:05.765697002 CEST6180553192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:05.786441088 CEST53618058.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:06.521837950 CEST5479553192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:06.542304039 CEST53547958.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:06.642534018 CEST4955753192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:06.657759905 CEST53495578.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:26.104932070 CEST6173353192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:26.152183056 CEST53617338.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:28.068749905 CEST6544753192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:28.084856033 CEST53654478.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:28.419487953 CEST5244153192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:28.432147980 CEST53524418.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:29.162633896 CEST6217653192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:29.175187111 CEST53621768.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:30.679785013 CEST5959653192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:30.694525003 CEST53595968.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:33.519079924 CEST6529653192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:33.531760931 CEST53652968.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:35.690540075 CEST6318353192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:35.703210115 CEST53631838.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:39.809226036 CEST6015153192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:39.821969032 CEST53601518.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:40.813354015 CEST5696953192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:40.828380108 CEST53569698.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:41.733205080 CEST5516153192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:41.749515057 CEST53551618.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:43.816843033 CEST5475753192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:43.830353975 CEST53547578.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:44.786832094 CEST4999253192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:44.800668955 CEST53499928.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:46.068089962 CEST6007553192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:46.080852032 CEST53600758.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:51.182168007 CEST5501653192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:51.195074081 CEST53550168.8.8.8192.168.2.5
                                            Apr 7, 2021 13:02:52.309345961 CEST6434553192.168.2.58.8.8.8
                                            Apr 7, 2021 13:02:52.327894926 CEST53643458.8.8.8192.168.2.5
                                            Apr 7, 2021 13:03:05.314524889 CEST5712853192.168.2.58.8.8.8
                                            Apr 7, 2021 13:03:05.340697050 CEST53571288.8.8.8192.168.2.5
                                            Apr 7, 2021 13:03:18.004636049 CEST5479153192.168.2.58.8.8.8
                                            Apr 7, 2021 13:03:18.020281076 CEST53547918.8.8.8192.168.2.5
                                            Apr 7, 2021 13:03:21.618623972 CEST5046353192.168.2.58.8.8.8
                                            Apr 7, 2021 13:03:21.638210058 CEST53504638.8.8.8192.168.2.5
                                            Apr 7, 2021 13:03:52.518874884 CEST5039453192.168.2.58.8.8.8
                                            Apr 7, 2021 13:03:52.534435987 CEST53503948.8.8.8192.168.2.5
                                            Apr 7, 2021 13:03:54.824187994 CEST5853053192.168.2.58.8.8.8
                                            Apr 7, 2021 13:03:54.850320101 CEST53585308.8.8.8192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Apr 7, 2021 13:02:06.521837950 CEST192.168.2.58.8.8.80xa57fStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                            Apr 7, 2021 13:02:06.642534018 CEST192.168.2.58.8.8.80xc83bStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Apr 7, 2021 13:02:06.542304039 CEST8.8.8.8192.168.2.50xa57fNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                            Apr 7, 2021 13:02:06.542304039 CEST8.8.8.8192.168.2.50xa57fNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                            Apr 7, 2021 13:02:06.657759905 CEST8.8.8.8192.168.2.50xc83bNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                            Apr 7, 2021 13:02:06.657759905 CEST8.8.8.8192.168.2.50xc83bNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • myliverpoolnews.cf

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.549698172.67.150.21280C:\Users\user\Desktop\RFQ #46200058149.exe
                                            TimestampkBytes transferredDirectionData
                                            Apr 7, 2021 13:02:06.590687990 CEST1340OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html HTTP/1.1
                                            UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                            Host: myliverpoolnews.cf
                                            Connection: Keep-Alive
                                            Apr 7, 2021 13:02:06.633188009 CEST1341INHTTP/1.1 301 Moved Permanently
                                            Date: Wed, 07 Apr 2021 11:02:06 GMT
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Wed, 07 Apr 2021 12:02:06 GMT
                                            Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html
                                            cf-request-id: 094d9836110000b7c914187000000001
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=m9eQ%2Bca61StvdHz7yPlbWFTXI1pBp7YQkrNE7je%2FSSf0koz4kSPtrJdseqt2bsqSTUwhZmkNnO%2BGEff%2B6O21ufwbrUCHlDUCH5a17fhuqKxyOIQ%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"max_age":604800,"report_to":"cf-nel"}
                                            Server: cloudflare
                                            CF-RAY: 63c2c3034ea8b7c9-CDG
                                            alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            HTTPS Packets

                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                            Apr 7, 2021 13:02:06.740125895 CEST172.67.150.212443192.168.2.549699CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:13:02:04
                                            Start date:07/04/2021
                                            Path:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\RFQ #46200058149.exe'
                                            Imagebase:0xea0000
                                            File size:55488 bytes
                                            MD5 hash:67B96DC502B0C7A496092D7E6D1DA6C5
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.301376960.000000000505E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.240375757.000000000507F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:13:02:10
                                            Start date:07/04/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                            Imagebase:0x150000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:02:10
                                            Start date:07/04/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7ecfc0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:02:11
                                            Start date:07/04/2021
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout 1
                                            Imagebase:0x160000
                                            File size:26112 bytes
                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:02:12
                                            Start date:07/04/2021
                                            Path:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\RFQ #46200058149.exe
                                            Imagebase:0x640000
                                            File size:55488 bytes
                                            MD5 hash:67B96DC502B0C7A496092D7E6D1DA6C5
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            General

                                            Start time:13:02:15
                                            Start date:07/04/2021
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 2672
                                            Imagebase:0xf10000
                                            File size:434592 bytes
                                            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >