Loading ...

Play interactive tourEdit tour

Analysis Report PO45937008ADENGY.exe

Overview

General Information

Sample Name:PO45937008ADENGY.exe
Analysis ID:383974
MD5:47ebf3893d8d6db4add1b87ad75495e4
SHA1:a90970359da16dfbcf89648f7a38fb75707181b3
SHA256:ee54b187c42f159bfba469c4b8c5ba0a85afeb802ea7eacaf400ccb38f7183af
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • PO45937008ADENGY.exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\PO45937008ADENGY.exe' MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • cmd.exe (PID: 3684 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1320 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • PO45937008ADENGY.exe (PID: 6448 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • PO45937008ADENGY.exe (PID: 612 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • PO45937008ADENGY.exe (PID: 6644 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5900 cmdline: /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 1668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hnchotels.com/mb7q/"], "decoy": ["thezensub.com", "wapedir.com", "itt.xyz", "mindframediscovery.com", "sitesolved.net", "beyju.store", "belatopapparel.xyz", "ridgefitct.com", "huanb.com", "brustwarzentattoo.com", "jlasoluciones.club", "sinoagrifcf.com", "theskineditco.com", "ccsdinstructer.com", "wealththinker.com", "pradnyanamaya.com", "szmsbk.com", "meezingo.com", "ivyshermanboutique.com", "tkbeads.com", "network70.com", "viralofilia.com", "eversteve.com", "softballlyfe.com", "fashionpulos.com", "myfashionest.com", "thelandcle.com", "xuuxacademy.com", "shopbijousecrets.com", "ynlklwsx.icu", "mtasa.blue", "covid19officers.com", "bookitstaugustine.com", "kuppers.info", "therapeuticsmile.com", "bestsocialprograms.com", "alergiaalfrio.com", "hepimizdostuz.com", "shubharambh-gifts.com", "drmellilo.com", "visaad.com", "caseysisters.com", "accessibleageing.com", "tokoryan.online", "databasement.net", "penstockdistillery.com", "payelll.com", "rockinghampress.com", "tuyensinhhaiphong.com", "myrecordsinfo.com", "thegarnetts.vegas", "veganktichen.com", "helpmewithmyenergy.com", "tootywooty.com", "walmartadvisors.com", "atrangii.com", "sceantez.com", "namigwe.art", "davidkellywvhouse6.com", "richardyg.com", "pasouth.com", "theblockparq.com", "merkuryindustries.com", "solidgroundsministries.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.PO45937008ADENGY.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.PO45937008ADENGY.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.PO45937008ADENGY.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        9.2.PO45937008ADENGY.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.PO45937008ADENGY.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hnchotels.com/mb7q/"], "decoy": ["thezensub.com", "wapedir.com", "itt.xyz", "mindframediscovery.com", "sitesolved.net", "beyju.store", "belatopapparel.xyz", "ridgefitct.com", "huanb.com", "brustwarzentattoo.com", "jlasoluciones.club", "sinoagrifcf.com", "theskineditco.com", "ccsdinstructer.com", "wealththinker.com", "pradnyanamaya.com", "szmsbk.com", "meezingo.com", "ivyshermanboutique.com", "tkbeads.com", "network70.com", "viralofilia.com", "eversteve.com", "softballlyfe.com", "fashionpulos.com", "myfashionest.com", "thelandcle.com", "xuuxacademy.com", "shopbijousecrets.com", "ynlklwsx.icu", "mtasa.blue", "covid19officers.com", "bookitstaugustine.com", "kuppers.info", "therapeuticsmile.com", "bestsocialprograms.com", "alergiaalfrio.com", "hepimizdostuz.com", "shubharambh-gifts.com", "drmellilo.com", "visaad.com", "caseysisters.com", "accessibleageing.com", "tokoryan.online", "databasement.net", "penstockdistillery.com", "payelll.com", "rockinghampress.com", "tuyensinhhaiphong.com", "myrecordsinfo.com", "thegarnetts.vegas", "veganktichen.com", "helpmewithmyenergy.com", "tootywooty.com", "walmartadvisors.com", "atrangii.com", "sceantez.com", "namigwe.art", "davidkellywvhouse6.com", "richardyg.com", "pasouth.com", "theblockparq.com", "merkuryindustries.com", "solidgroundsministries.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO45937008ADENGY.exeVirustotal: Detection: 27%Perma Link
          Source: PO45937008ADENGY.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO45937008ADENGY.exeJoe Sandbox ML: detected
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
          Source: PO45937008ADENGY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.670335958.0000000004C32000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO45937008ADENGY.exe, WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp, wlanext.exe
          Source: Binary string: crypt32.pdb_ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: WLDP.pdb/ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb< source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rasapi32.pdb| source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb( source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb= source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdbu source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb! source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdbn source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO45937008ADENGY.exe, 00000009.00000003.664621972.0000000001160000.00000004.00000001.sdmp, wlanext.exe, 00000011.00000002.915414593.0000000003A1F000.00000040.00000001.sdmp
          Source: Binary string: ncrypt.pdbk source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbps; source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: propsys.pdbm source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: iVisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.670642715.0000000000C51000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdbv source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb= source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb7 source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdbQ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wlanext.pdb source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: wUxTheme.pdbs source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb+ source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cldapi.pdbC source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb; source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbI source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb\F1 source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbR source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc.pdbg source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdb source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb? source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wlanext.pdbGCTL source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 4x nop then pop esi9_2_00415836
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 4x nop then pop edi9_2_0040C3E8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi17_2_02EDC3E8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi17_2_02EE5836

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hnchotels.com/mb7q/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.belatopapparel.xyz
          Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
          Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:31:12 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://