Loading ...

Play interactive tourEdit tour

Analysis Report qINcOlwRud.exe

Overview

General Information

Sample Name:qINcOlwRud.exe
Analysis ID:383942
MD5:d6b29add344d2284845f133b8505126e
SHA1:fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c
SHA256:552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • qINcOlwRud.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\qINcOlwRud.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1364 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\qINcOlwRud.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 3880 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5972 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5756 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • qINcOlwRud.exe (PID: 4456 cmdline: C:\Users\user\Desktop\qINcOlwRud.exe MD5: D6B29ADD344D2284845F133B8505126E)
    • WerFault.exe (PID: 6000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • svchost.exe (PID: 5512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5820 cmdline: 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 6236 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6264 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6320 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6644 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6692 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • svchost.exe (PID: 4468 cmdline: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe MD5: D6B29ADD344D2284845F133B8505126E)
  • svchost.exe (PID: 3776 cmdline: 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' MD5: D6B29ADD344D2284845F133B8505126E)
    • powershell.exe (PID: 6860 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6908 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 4664 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5328 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5868 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5412 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1320 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2000 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "m4ximilia@yandex.comx103860*&1333smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.qINcOlwRud.exe.43826f0.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0.2.qINcOlwRud.exe.434c6d0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0.2.qINcOlwRud.exe.434c6d0.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0.2.qINcOlwRud.exe.43826f0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.qINcOlwRud.exe.43826f0.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "m4ximilia@yandex.comx103860*&1333smtp.yandex.com"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeReversingLabs: Detection: 27%
            Multi AV Scanner detection for submitted fileShow sources
            Source: qINcOlwRud.exeVirustotal: Detection: 21%Perma Link
            Source: qINcOlwRud.exeReversingLabs: Detection: 27%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: qINcOlwRud.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49683 version: TLS 1.0
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEVJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeDirectory created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeJump to behavior
            Source: qINcOlwRud.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbd source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Core.ni.pdbRSDSD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: Accessibility.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: np6pVisualBasic.pdb43 source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb`] source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: np6pVisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: .pdb% source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: (P+pLC:\Windows\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Users\user\Desktop\qINcOlwRud.PDB( source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: mscorlib.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Windows.Forms.pdb0 source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Drawing.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: qINcOlwRud.exe, 00000000.00000002.269744328.0000000001260000.00000004.00000020.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.Core.pdb source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: qINcOlwRud.PDB source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbB source: qINcOlwRud.exe, 00000000.00000002.269873802.0000000001293000.00000004.00000020.sdmp
            Source: Binary string: System.Xml.pdbD source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: svchost.PDB source: svchost.exe, 0000000D.00000002.396329170.0000000000CF7000.00000004.00000010.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS source: WER66E4.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdb source: WER66E4.tmp.dmp.14.dr
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: Joe Sandbox ViewIP Address: 104.21.56.119 104.21.56.119
            Source: Joe Sandbox ViewIP Address: 104.21.56.119 104.21.56.119
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.3:49683 version: TLS 1.0
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8BB9FBC655E731A0C6CD58E2C4B52B7.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-6C1A7BF393BEFEDE5EF77372F8A536BC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: <meta property="og:site_name" content="Liverpool.com"><meta property="og:language" content="en"><meta property="og:type" content="article"><meta property="og:title" content="The Brewster Experience has underdelivered so far, but that will change"><meta property="og:url" content="https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763"><meta property="og:description" content="Rhian Brewster was hyped up before the start of the season, but was that fair?"><meta property="og:image" content="https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178657262.jpg"><meta property="og:section" content="Features"><meta property="article:tag" content="Rhian Brewster"><meta property="article:author" content="https://www.facebook.com/kristianwalsh1987/"><meta property="article:published_time" content="2019-10-30T16:00:00Z"><meta property="article:modified_time" content="2019-10-30T15:36:53Z"><meta property="article:expiration_time" content="2019-11-29T15:36:53Z"><meta property="article:section" content="Features"><meta property="article:id" content="liverpool-17172763"> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
            Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
            Source: svchost.exe, 0000000B.00000003.266602671.000001BDC7899000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmp, svchost.exe, 0000000B.00000003.266602671.000001BDC7899000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
            Source: qINcOlwRud.exe, 00000000.00000002.270729266.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: svchost.exe, 00000015.00000002.325607355.0000023ABEC13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com:
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
            Source: svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.314007807.0000023ABEC40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
            Source: svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326740904.0000023ABEC4B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000002.327217757.0000023ABEC64000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.313784192.0000023ABEC49000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326636259.0000023ABEC42000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000015.00000003.313555750.0000023ABEC60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17172788.ece/ALTERNATES/s1200/1_GettyImages-1178
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271085318.0000000003020000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
            Source: qINcOlwRud.exe, 00000000.00000002.271085318.0000000003020000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf4
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
            Source: svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000015.00000002.325607355.0000023ABEC13000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.326476300.0000023ABEC3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000015.00000003.314338575.0000023ABEC45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000015.00000003.314338575.0000023ABEC45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000015.00000003.290781587.0000023ABEC30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000015.00000002.326324618.0000023ABEC39000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000015.00000003.314649604.0000023ABEC54000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
            Source: qINcOlwRud.exe, 00000000.00000002.269584195.0000000001231000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-jones
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-jones-jurgen-klopp-19941053
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmp, qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
            Source: qINcOlwRud.exe, 00000000.00000003.216213463.0000000004615000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
            Source: qINcOlwRud.exe, 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
            Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
            Source: qINcOlwRud.exe, 00000000.00000002.269153211.00000000011BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_011744480_2_01174448
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_01174B080_2_01174B08
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117ED300_2_0117ED30
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117C10C0_2_0117C10C
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117D6D80_2_0117D6D8
            Source: C:\Users\user\Desktop\qINcOlwRud.exeCode function: 0_2_0117D92C0_2_0117D92C
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D220713_2_015D2207
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D2A0813_2_015D2A08
            Source: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exeCode function: 13_2_015D9EAC13_2_015D9EAC
            Source: Joe Sandbox ViewDropped File: C:\Program Files\Common Files\system\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe 552A8D763C86BB50DED18CF8F790F18828C471EC5A4D3CAC71EAF7693314A04C
            Source: C:\Users\user\Desktop\qINcOlwRud.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1936
            Source: qINcOlwRud.exe, 00000000.00000000.207154694.0000000000ABA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.388289726.0000000005F60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269988009.00000000013C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.267682824.0000000000EF7000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269963750.00000000013B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.382192537.0000000005520000.00000002.00000001.sdmpBinary or memory string: originalfilename vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.382192537.0000000005520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.271324177.000000000304A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.304230234.000000000434C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHjwp TPs.exe2 vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.269153211.00000000011BA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 00000000.00000002.377981680.0000000005430000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs qINcOlwRud.exe
            Source: qINcOlwRud.exe, 0000000A.00000000.254365298.000000000075A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: qINcOlwRud.exeBinary or memory string: OriginalFilenameDimbono.exe0 vs qINcOlwRud.exe
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
            Source: classification engineClassification label: mal100.troj.evad.winEXE@53/25@4/2
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEVJump to behavior
            Source: C:\Users\user\Desktop\qINcOlwRud.exeFile created: C:\Users\user\QTSKUnyljdzYWpkbMIVLIBDYJvtcjEAJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:160:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ochp5k.jrz.ps1