Edit tour

Windows Analysis Report
18001787_down_payment_invoice_90002104.exe

Overview

General Information

Sample Name:	18001787_down_payment_invoice_90002104.exe
Analysis ID:	1334833
MD5:	195787f942427352db785fea42c93f43
SHA1:	11349f0aa5059663c99bddb4b1d4925b0795d4c0
SHA256:	4957fb0faa66fa85bd02e198c98d741a6edf5f683538601bbc7099f88aa4ac30
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to steal Mail credentials (via file registry)

Contains functionality to modify clipboard data

Yara detected WebBrowserPassView password recovery tool

Uses dynamic DNS services

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

18001787_down_payment_invoice_90002104.exe (PID: 3312 cmdline: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe MD5: 195787F942427352DB785FEA42C93F43)

wab.exe (PID: 1392 cmdline: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 6416 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 3152 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 6492 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\paqlgkfs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.40188235622.0000000000690000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.40189422367.0000000003F89000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 18001787_down_payment_invoice_90002104.exe PID: 3312	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 1392	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: wab.exe PID: 1392	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: wab.exe PID: 6416	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 4 entries

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.11.20 - Destination IP: 94.156.6.253

Timestamp:	192.168.11.2094.156.6.2535007724022032776 10/31/23-13:20:00.651244
SID:	2032776
Source Port:	50077
Destination Port:	2402
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 94.156.6.253 - Destination IP: 192.168.11.20

Timestamp:	94.156.6.253192.168.11.202402500772032777 10/31/23-13:26:11.604235
SID:	2032777
Source Port:	2402
Destination Port:	50077
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN GuLoader Encoded Binary Request M2 - Source IP: 192.168.11.20 - Destination IP: 217.147.225.69

Timestamp:	192.168.11.20217.147.225.6950076802855192 10/31/23-13:19:57.803142
SID:	2855192
Source Port:	50076
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 18001787_down_payment_invoice_90002104.exe

Virustotal: Detection: 11%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Antivirus detection for URL or domain

Source: http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: gudanidevelopment.ge	Virustotal: Detection: 17%			Perma Link
Source: ourt2949aslumes9.duckdns.org	Virustotal: Detection: 13%			Perma Link

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_0040672B FindFirstFileW,FindClose,	3_2_0040672B
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405AFA
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00402868 FindFirstFileW,	3_2_00402868
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_356310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_356310F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35636580 FindFirstFileExA,	7_2_35636580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,	9_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407C87
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50076 -> 217.147.225.69:80
Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:50077 -> 94.156.6.253:2402
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:50077

Uses dynamic DNS services

Source: unknown

DNS query: name: ourt2949aslumes9.duckdns.org

Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG
Source: Joe Sandbox View	ASN Name: GRENA-ASTbilisiGeorgiaGE GRENA-ASTbilisiGeorgiaGE

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 94.156.6.253 94.156.6.253

Source: global traffic

HTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:50077 -> 94.156.6.253:2402

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.6.253

Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, 00000009.00000003.40247422659.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
Source: wab.exe, 00000009.00000003.40247422659.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
Source: wab.exe, 00000009.00000003.40248364770.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: e","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}]
Source: wab.exe, 00000009.00000003.40248364770.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: e","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}]
Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000009.00000002.40254477336.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.00000000046A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000009.00000002.40254477336.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.00000000046A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 00000009.00000003.40247633831.00000000046A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: u"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profileANg3Zw2QouYXcOw3P8MgEYmqBohsyHX3A0QYKqCpqgaYKnCaImmJqgaoKr2eaJ8Qu6JvhC8IXgC8EXskfsUsie4Rd8IfhC8IXgC8EXgi8EXwi+EHxhm5eAX/CF4Gudt8rtxcmWHtzKEYrlqfPwGMw8n+fDLltVh7rgekAiRnsBdgY/P4Itiocfnljxe+W2ga1bwbr1j/CS/34+f3++b1IqgQeX2IdvZPSDce7EDIYgeJVNpXPeTKuHZ5yVD9wJ0DceUugUaQm3qtju0YTnB5MKDsADH+gwWG2vonWTUqaj9QFb2Dy/bF7sY6I1n2DJHmpa7A/qg4yb4S6NqPJ9AtKm/5KR8b3rp9+LtsdJcYYVbLtPZTteneEulyXk/54QMpAYEW3NtmiWweguM1wR+XqhTdqDDDBykftettEI9cW4grTMwqcc equals www.facebook.com (Facebook)
Source: wab.exe, 00000009.00000003.40247568184.00000000046B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}}fre{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"}hardware_acceleration_mode_previoustrueis_dsp_recommendedtruelegacy{"profile":{"name":{"migrated":true}}}migration{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false}network_primary_browser{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}}network_time{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}}os_crypt{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAcjDYF/dB+Ehkggnbhv5UEmuk4qMrV300v/DxeYPr2kcAAAAADoAAAAACAAAgAAAA4Fc7bPPxg5D3HUrv9FeO3M8NoHE1hRCd1+t1vMyMeGIwAAAA60sl/pIpVYUn/pFhWuHqOweLytcqg8K9+apLINEdcjv+lt8eT+qH7hjP4LZPc65wQAAAABgU4kp6fr9r5p49VZoKZkZbDP1PXsAR/6XYDO+DikEUGEeRYwj0k5LNwmmr0tZ5hKexU3XBg6oVvPcKgnBt6go="}policy{"last_statistics_update":"13335737596278882"}profile{"info_cache":{"Default":{"active_time":1691263997.009407,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_20","background_apps":false,"edge_account_cid":"8628dc546dc99469","edge_account_first_name":"Shahak","edge_account_last_name":"Shapira","edge_account_oid":"","edge_account_sovereignty":0,"edge_account_tenant_id":"","edge_account_type":1,"edge_force_signout_state":0,"edge_kids_mode":false,"edge_muid":"243215E5327669D43677068133B66811","edge_previously_signin_user_name":"","edge_signed_in_default_name":33554433,"edge_test_on_premises":false,"edge_wam_aad_for_app_account_type":0,"edge_was_previously_signin":false,"force_signin_profile_locked":false,"gaia_given_name":"","gaia_id
Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustECCCA2018.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cacerts.thawte.com/ThawteRSACA2018.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cdp.geotrust.com/GeoTrustECCCA2018.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://cdp.thawte.com/ThawteRSACA2018.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://contentstorage.osi.office.net/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr3dvtlsca2020.crl0#
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s1-2558.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0D
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: wab.exe, 00000007.00000003.40256849481.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40202980557.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40525599454.0000000004CC2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40203086900.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn.net/LMEMH8
Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpy
Source: wab.exe, wab.exe, 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45065735573.00000000342A0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.bin
Source: wab.exe, 00000007.00000002.45065735573.00000000342A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gudanidevelopment.ge/IogvoayYhe139.binSchoSvltathirchimie.com/IogvoayYhe139.bin
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://o.ss2.us/0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0G
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gsovsha2g4r30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr3dvtlsca20200V
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.godaddy.com/02
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp.sectigo.com0%
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr30;
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0$
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der07
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://s.ss2.us/r.crl0
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://s.symcd.com06
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt09
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsovsha2g4r3.crt0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://status.geotrust.com0=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://status.thawte.com09
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://trc.taboola.com/p3p.xml
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0u
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0v
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 0000000B.00000002.40221415732.00000000000DC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com/hrq
Source: wab.exe, 0000000B.00000002.40221938113.0000000002CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 00000007.00000002.45066782478.0000000035600000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000009.00000002.40252547768.0000000000306000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.double
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doublecli
Source: wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activ
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activi
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247804695.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247422659.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247048218.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247568184.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246925734.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40247709473.00000000046BA000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://acdn.adnxs.com/ast/ast.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?daed76fa672ed2fa739774d44bb38da5
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?e77f8dc2c88b806ec91fb50956aeee97
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://api.taboola.com/1.2/json/taboola-usersync/user.sync?app.type=desktop&app.apikey=e60e3b54fc66
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC05934b07a40a4d8a9a0cc7a79e85434
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC9fc5c8b8bfb94ba5833ba8065b1de35
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/AAehR3S.svg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://b1sync.zemanta.com/usersync/msn/?puid=101156F9176C6E98058F466E16B36FAC
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://btloader.com/tag?o=6208086025961472&upapi=true
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://capturemedia-assets.com/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.adnxs.com/v/s/215/trk.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/CommonDiagnostics.js?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=14512.30550
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/microsoft_logo.png?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=14512.30550
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-aad.png?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/hrd/picker-account-msa.png?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/jquery-1.12.4.1.min.js?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/knockout-3.4.2.js?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdn.taboola.com/TaboolaCookieSyncScript.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://clientconfig.microsoftonline-p.net
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/avatar.png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/bundle.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/fabric.min.css
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.med
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.medi
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contextual.media.net/48/nrrV39259.js
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/check
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checks
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/active-view-scs-read-write-acl
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/ads-programmable
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/botguard-scs
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/recaptcha/1
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/ads-programmable
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/botguard-scs
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/storyset?platform=desktop&release=20h2&schema=3.0&sku=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/tip-contentset?platform=desktop&release=20h2&schema=3.
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/5c08e5e7-4cfd-4901-acbc-79925276672c/33c540c16
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/fb5aa6fc-fb0f-43c0-9aba-9bf4642cdd05/9a3b4a8d1
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: 18001787_down_payment_invoice_90002104.exe, Filamenterne.exe.7.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eb2.3lif
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eb2.3lift.com/sync
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240352351.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://eb2.3lift.com/sync?
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-FRAr4b&Fr
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get.a
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get3.adobe
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://get3.adobe.co
Source: wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagea
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: wab.exe, 00000009.00000003.40243039699.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241918719.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241974058.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242794079.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242860645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242752420.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242191086.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251742815.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ib.3lift.com/sync.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ib.adnxs.com/
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://ib.adnxs.com/async_usersync_file
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRT?ver=5f90
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRY?ver=52e8
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IMai
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IQAK
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OALs
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OAdg?ver=1c49
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrw?ver=d941
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrz?ver=8427
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OI51?ver=0686
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ONWz
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWB7v5
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIa
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIj
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWG0VH
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLcTb?ver=b557
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLuYO
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKp8YX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMqFmF?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODMk8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODQmd?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODept?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEFck?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=82
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEQ0I?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4WR?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4Xx?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFBrV?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFC5q?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFE0J?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=70
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFENj?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFJFJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFLk7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=43
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFWV8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFhty?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFsUC?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFu51?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFy7B?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFyKG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=60
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG88s?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGPXq?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGQtJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGV90?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=5
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGapF?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGlbE?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGmTG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGyYN?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH2Ml?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH6xB?h=75&w=100&m=6&q=60&u=t&o=t&l=f
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14hq0P?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aXBV1?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cEP3G?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cG73h?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ftEY0?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gEFcn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7gRE?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: wab.exe, 00000009.00000002.40252547768.0000000000306000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40252547768.0000000000302000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254832447.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251240808.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://login.live.com/
Source: wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsign
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240352351.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40252026298.000000000469F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251807893.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241761167.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241602092.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
Source: wab.exe, 00000009.00000003.40242752420.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
Source: wab.exe, 00000009.00000003.40240416792.00000000046B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
Source: wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_hj8oSp9QdNfpZ07Gv-Ue0w2.css
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_qWV3sGhBzcGORhNLatPttg2.css
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedFinishStrings.en_BYvHTGVEjHmqRinYKC8bUQ2.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_fBfIO6PUjtiIRe-Q1r1v
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_b540a8e518037192e32c4fe58bf2dbab
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456def
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90b
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostFinish_PCore_3l9yQcHwDX6JY4dnECC1pg2.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostLogin_PCore_rfy0-A_Y4TdpeysEFWwI1w2.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/asyncchunk/win10hostlogin_ppassword_545f714b012517
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_5b54317b5869f142bd86.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.offi
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeap
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/jsonstrings?g=EmailHrdv2&mkt=1033&hm=2
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.css?b=14512.30550
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=14512.30550
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/hrd.min.js?b=16521.30551
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1632306668408
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/federationProvider?domain=outlook.com&_=1685097289379
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: wab.exe, 00000009.00000003.40243039699.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241918719.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241974058.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242794079.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242860645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242191086.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40252026298.000000000469F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251931887.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251807893.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240184394.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=1&emailAddress=shahak.shapira%40outlook.com&_=168509
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp?hm=2&emailAddress=shahak.shapira%40outlook.com&_=163230
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://outlookmobile-office365-tas.msedge.net/ab?clientId=512A4435-60B8-42A2-80D3-582B6B7FB6C0&ig=1
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2787436b358dbd81d7fd0a0cccb05788
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f068a709ecd1f0c000b440d901cea9b
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pagead2.googlesyndication.com/bg/4j6j1KaqOj9dOTqNDUFIq-pj8a-_5PTo96X1Pctm55w.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pagead2.googlesyndication.com/getconfig/sodar?sv=200&tid=gda&tv=r20210916&st=env
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_csp?id=adbundle&qqi=CPuOuO2wkvMCFQDJuwgdDw4EyQ&gqi=
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/managed/js/adsense/m202109200101/show_ads_impl_with_ama
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pagead2.googlesyndication.com/pagead/show_ads.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=ib.adnxs.com&callback=_gfp_s_&client=ca
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js?domain=www.msn.com&callback=_gfp_s_&client=ca-
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://polyfill.io/v3/polyfill.min.js?features=2CElement.prototype.matches%2CElement.prototype.clos
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://px.ads.linkedin.com/setuid?partner=tripleliftdbredirect&tlUid=13122329571212727769&dbredirec
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/7zPvmktG8JzqA0vnWzpk_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/10170131.js?ADFassetID=10170131&bv=258
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k4.jpg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=0.5146119884770144
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/bootstrap.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://s1.adform.net/stoat/626/s1.adform.net/load/v/0.0.209/e/-gABoCBA/i/vCAv.IAAAAAoAA/r:AdConstru
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://sb.scorecardresearch.com/b2?c1=2&c2=3000001&cs_ucfr=1&rn=1632306836522&c7=https%3A%2F%2Fwww.
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://sb.scorecardresearch.com/beacon.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251675749.000000000469C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242028208.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241458515.00000000046AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241654953.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241547800.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242244213.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242980257.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242920703.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241495663.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241402768.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242136692.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242079889.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241811190.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241761167.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40242691645.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40241602092.0000000004DC6000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=4aeddfea844042999a22bdcca1fba378&c=MSN&d=https%3A%2F%2Fwww.ms
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=838b780a64e64b0d92d628632c1c377c&c=MSN&d=https%3A%2F%2Fwww.ms
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-d68e7b58/direct
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-d017f019/directi
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODMk8.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODQmd.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODept.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEFck.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEQ0I.img?h=368&w=62
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4WR.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4Xx.img?h=368&w=62
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFBrV.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFC5q.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=250&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFE0J.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFENj.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFJFJ.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFLk7.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFWV8.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFhty.img?h=368&w=62
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFsUC.img?h=250&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFu51.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFy7B.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFyKG.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=250&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG88s.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGPXq.img?h=194&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGQtJ.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGV90.img?h=194&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGapF.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGlbE.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGmTG.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGyYN.img?h=194&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH2Ml.img?h=194&w=30
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH6xB.img?h=75&w=100
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&w=27
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/2578937774238713912_2802581922324906360.jpeg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/6852827437855218848_345419970373613283.jpeg
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css
Source: wab.exe, 00000009.00000003.40250168695.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249957635.00000000046B3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254635212.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.g
Source: wab.exe, 00000009.00000003.40249257458.00000000046B6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254681346.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tpc.g
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/html5/ssrh.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/in_page_full_auto_V1/Responsive_Monte_GpaSingleIfra
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/abg_lite.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/qs_click_protection.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/window_focus.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/simgad/14585816484902221120
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?subset_id=2&fvd=n3&v=3
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://use.typekit.net/ecr2zvs.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: wab.exe, 00000009.00000003.40250168695.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249957635.00000000046B3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.40254635212.00000000046B5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40251372783.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40250671986.00000000046B4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40249997725.00000000046B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.adobe.
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: wab.exe, wab.exe, 0000000B.00000002.40221614069.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.google.com/
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/https://
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/pa
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://www.google.com/pagead/drt/ui
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/?ocid=ie
Source: wab.exe, 00000009.00000003.40243774570.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40240184394.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFl
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/secure/silentpassport?secure=true&lc=2055
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/de-ch/https://
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
Source: wab.exe, 00000009.00000003.40246408330.00000000046AC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.40246459962.00000000046AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp
Source: bhv3A27.tmp.9.dr	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1

Source: unknown

DNS traffic detected: queries for: gudanidevelopment.ge

Source: global traffic	HTTP traffic detected: GET /IogvoayYhe139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: gudanidevelopment.geCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	9_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	10_2_00406B9A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	10_2_00406C3D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	11_2_004072B5

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

3_2_0040558F

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 18001787_down_payment_invoice_90002104.exe

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

3_2_004034A5

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00404DCC	3_2_00404DCC
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00406AF2	3_2_00406AF2
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_6F1D1B63	3_2_6F1D1B63
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_3_04C94169	7_3_04C94169
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_3563B5C1	7_2_3563B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35647194	7_2_35647194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00406E8F	9_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044B040	9_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0043610D	9_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00447310	9_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044A490	9_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0040755A	9_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0043C560	9_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044B610	9_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044D6C0	9_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_004476F0	9_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044B870	9_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044081D	9_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00414957	9_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_004079EE	9_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00407AEB	9_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044AA80	9_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00412AA9	9_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00404B74	9_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00404B03	9_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044BBD8	9_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00404BE5	9_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00404C76	9_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00415CFE	9_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00416D72	9_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00446D30	9_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00446D8B	9_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0040D044	10_2_0040D044
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00405038	10_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004050A9	10_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0040511A	10_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004051AB	10_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004382F3	10_2_004382F3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00430575	10_2_00430575
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0043B671	10_2_0043B671
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0041F6CD	10_2_0041F6CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004119CF	10_2_004119CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00439B11	10_2_00439B11
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00438E54	10_2_00438E54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00412F67	10_2_00412F67
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0043CF18	10_2_0043CF18
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004050C2	11_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004014AB	11_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00405133	11_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004051A4	11_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00401246	11_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_0040CA46	11_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00405235	11_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004032C8	11_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00401689	11_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00402F60	11_2_00402F60

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00412968 appears 78 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00421A32 appears 43 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044407A appears 37 times

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_0449A127 Sleep,NtProtectVirtualMemory,	7_2_0449A127
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	9_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00401806 NtdllDefWindowProc_W,	9_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_004018C0 NtdllDefWindowProc_W,	9_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004016FC NtdllDefWindowProc_A,	10_2_004016FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004017B6 NtdllDefWindowProc_A,	10_2_004017B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00402CAC NtdllDefWindowProc_A,	11_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00402D66 NtdllDefWindowProc_A,	11_2_00402D66

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: invalid certificate

Source: 18001787_down_payment_invoice_90002104.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

File read: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Jump to behavior

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn	Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,		11_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

File created: C:\Users\user\AppData\Local\Admonishment64

Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

File created: C:\Users\user\AppData\Local\Temp\nszD5CF.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@9/18@4/3

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_00402104 CoCreateInstance,

3_2_00402104

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

3_2_00404850

Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 0000000A.00000002.40218726430.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 00000007.00000002.45066609211.0000000035570000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, wab.exe, 00000009.00000002.40252855810.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

9_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

9_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

9_2_0040B58D

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: 18001787_down_payment_invoice_90002104.exe

Static file information: File size 1091672 > 1048576

Source: 18001787_down_payment_invoice_90002104.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000007.00000002.45046073128.0000000003AF9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.40189422367.0000000003F89000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.40188235622.0000000000690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 18001787_down_payment_invoice_90002104.exe PID: 3312, type: MEMORYSTR

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_6F1D2FD0 push eax; ret	3_2_6F1D2FFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35632806 push ecx; ret	7_2_35632819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044693D push ecx; ret	9_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044DB70 push eax; ret	9_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0044DB70 push eax; ret	9_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_00451D54 push eax; ret	9_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00444355 push ecx; ret	10_2_00444365
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004446D0 push eax; ret	10_2_004446E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_004446D0 push eax; ret	10_2_0044470C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0044AC84 push eax; ret	10_2_0044AC91
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00414060 push eax; ret	11_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00414060 push eax; ret	11_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00414039 push ecx; ret	11_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_004164EB push 0000006Ah; retf	11_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00416553 push 0000006Ah; retf	11_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00416555 push 0000006Ah; retf	11_2_004165C4

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_6F1D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

3_2_6F1D1B63

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File created: C:\Users\user\AppData\Local\Temp\Dendrobe\Filamenterne.exe			Jump to dropped file
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	File created: C:\Users\user\AppData\Local\Temp\nskD796.tmp\System.dll			Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Dominionist	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Dominionist	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Dominionist	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Dominionist	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_004047C6

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5116	Thread sleep count: 3596 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7100	Thread sleep count: 70 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7100	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6752	Thread sleep count: 5338 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6752	Thread sleep time: -16014000s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3596 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

9_2_0040DD85

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3596	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5338	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: foregroundWindowGot 1724	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API coverage: 9.7 %

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 9_2_00418981 memset,GetSystemInfo,

9_2_00418981

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_0040672B FindFirstFileW,FindClose,	3_2_0040672B
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_00405AFA
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Code function: 3_2_00402868 FindFirstFileW,	3_2_00402868
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_356310F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_356310F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35636580 FindFirstFileExA,	7_2_35636580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,	9_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00407C87
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	11_2_00407898

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	API call chain: ExitProcess graph end node			graph_3-4598
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	API call chain: ExitProcess graph end node			graph_3-4753

Source: wab.exe, 00000007.00000002.45052676027.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_356360E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_356360E2

Source: C:\Program Files (x86)\Windows Mail\wab.exe

9_2_0040DD85

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

Code function: 3_2_6F1D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

3_2_6F1D1B63

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_3563724E GetProcessHeap,

7_2_3563724E

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_35634AB4 mov eax, dword ptr fs:[00000030h]

7_2_35634AB4

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_356360E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_356360E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35632B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_35632B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 7_2_35632639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_35632639

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Section loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000			Jump to behavior
Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F18008			Jump to behavior

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ixfof	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\szlggikjo	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\utqzgbudcvrn	Jump to behavior

Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}\|
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*
Source: wab.exe, 00000007.00000002.45053053148.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40215942945.0000000004CAC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40255442769.0000000004CBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2023/10/31 13:19:59 Program Manager]
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager<\|T
Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerI
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*\|B
Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2023/10/31 13:20:06 Program Manager]
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerk\|
Source: wab.exe, 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe	Binary or memory string: [2023/10/31 13:20:06 Program Manager]
Source: wab.exe	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 00000007.00000002.45052676027.0000000004C7A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004CA9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 00000007.00000003.40526012940.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.45052911947.0000000004C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerur\|
Source: wab.exe, 00000007.00000002.45066462805.0000000034ED6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*t\|

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_35632933 cpuid

7_2_35632933

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 7_2_35632264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_35632264

Source: C:\Users\user\Desktop\18001787_down_payment_invoice_90002104.exe

3_2_004034A5

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

10_2_00408043

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	10_2_004033E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	10_2_00402DA5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	10_2_00402DA5

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 6416, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.45052911947.0000000004C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.40526012940.0000000004C86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	212 Process Injection	1 DLL Side-Loading	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	1 Credentials In Files	28 System Information Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Virtualization/Sandbox Evasion	LSA Secrets	31 Security Software Discovery	SSH	11 Clipboard Data	Data Transfer Size Limits	112 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	212 Process Injection	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 18001787_down_payment_invoice_90002104.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
18001787_down_payment_invoice_90002104.exe