Loading ...

Play interactive tourEdit tour

Analysis Report company certificate.exe

Overview

General Information

Sample Name:company certificate.exe
Analysis ID:296287
MD5:7b2aa392e7eaec9b73d7fb7de325f8d3
SHA1:9f7c5288999d83fe8220ba08d15d3eb8624c6aad
SHA256:a03a01c5db256866b2caf92a988882d4fa2051d4ef401455e07794fb87a0042e
Tags:exeHawkEyeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • company certificate.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • timeout.exe (PID: 5788 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 1724 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
      • WerFault.exe (PID: 4624 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 2008 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 6452 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6376 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • company certificate.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • timeout.exe (PID: 7108 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 6772 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
      • WerFault.exe (PID: 1012 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6772 -s 1248 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 1860 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 4524 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • timeout.exe (PID: 5568 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 1068 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • company certificate.exe (PID: 3504 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
  • company certificate.exe (PID: 1072 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • timeout.exe (PID: 4492 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 4632 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
    • timeout.exe (PID: 7056 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 3512 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 7B2AA392E7EAEC9B73D7FB7DE325F8D3)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.523035511.00000000041C9000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7bdae:$key: HawkEyeKeylogger
  • 0x7dff2:$salt: 099u787978786
  • 0x7c3ef:$string1: HawkEye_Keylogger
  • 0x7d242:$string1: HawkEye_Keylogger
  • 0x7df52:$string1: HawkEye_Keylogger
  • 0x7c7d8:$string2: holdermail.txt
  • 0x7c7f8:$string2: holdermail.txt
  • 0x7c71a:$string3: wallet.dat
  • 0x7c732:$string3: wallet.dat
  • 0x7c748:$string3: wallet.dat
  • 0x7db16:$string4: Keylog Records
  • 0x7de2e:$string4: Keylog Records
  • 0x7e04a:$string5: do not script -->
  • 0x7bd96:$string6: \pidloc.txt
  • 0x7be24:$string7: BSPLIT
  • 0x7be34:$string7: BSPLIT
0000001E.00000002.523035511.00000000041C9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000001E.00000002.523035511.00000000041C9000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000001E.00000002.523035511.00000000041C9000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        0000001E.00000002.523035511.00000000041C9000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 124 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          25.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            38.2.company certificate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b89e:$key: HawkEyeKeylogger
            • 0x7dae2:$salt: 099u787978786
            • 0x7bedf:$string1: HawkEye_Keylogger
            • 0x7cd32:$string1: HawkEye_Keylogger
            • 0x7da42:$string1: HawkEye_Keylogger
            • 0x7c2c8:$string2: holdermail.txt
            • 0x7c2e8:$string2: holdermail.txt
            • 0x7c20a:$string3: wallet.dat
            • 0x7c222:$string3: wallet.dat
            • 0x7c238:$string3: wallet.dat
            • 0x7d606:$string4: Keylog Records
            • 0x7d91e:$string4: Keylog Records
            • 0x7db3a:$string5: do not script -->
            • 0x7b886:$string6: \pidloc.txt
            • 0x7b914:$string7: BSPLIT
            • 0x7b924:$string7: BSPLIT
            38.2.company certificate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              38.2.company certificate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                38.2.company certificate.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  Click to see the 14 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: vbc.exe.6452.24.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: company certificate.exeVirustotal: Detection: 17%Perma Link
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: company certificate.exeJoe Sandbox ML: detected
                  Source: 38.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 38.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 26.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 26.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                  Source: company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: WerFault.exe, 0000000E.00000003.406945041.0000000005A20000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: WerFault.exe, 0000000E.00000003.406945041.0000000005A20000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmpBinary or memory string: [autorun]
                  Source: company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                  Source: company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_07B2FE8A
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082B2835
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BF013
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BF0FD
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BE934
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082B326B
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then call 0553A6E8h3_2_082BE260
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BE260
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then call 0553A6E8h3_2_082BE34A
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BE34A
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082B2BA1
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then call 0553A6E8h3_2_082B0430
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082B0430
                  Source: C:\Users\user\Desktop\company certificate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_082BE60F
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: vbc.exe, 00000018.00000003.434302232.000000000069E000.00000004.00000001.sdmpString found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: vbc.exe, 00000018.00000003.434302232.000000000069E000.00000004.00000001.sdmpString found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, vbc.exe, 00000018.00000002.434742039.0000000000400000.00000040.00000001.sdmp, company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, vbc.exe, 00000018.00000002.434742039.0000000000400000.00000040.00000001.sdmp, company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
                  Source: unknownDNS traffic detected: queries for: dfewfwefwefwefwe.000webhostapp.com
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                  Source: company certificate.exe, 00000000.00000002.361448013.0000000002945000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.528893250.0000000002C8A000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.478180249.000000000292A000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509594597.00000000026CA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.rapidssl.com/RapidSSLRSACA2018.crt0
                  Source: company certificate.exe, 00000000.00000002.361448013.0000000002945000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.528893250.0000000002C8A000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.478180249.000000000292A000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509594597.00000000026CA000.00000004.00000001.sdmpString found in binary or memory: http://cdp.rapidssl.com/RapidSSLRSACA2018.crl0L
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                  Source: company certificate.exe, 0000000F.00000002.471058493.0000000000CB2000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0c
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                  Source: company certificate.exe, 00000003.00000003.360010805.0000000005EF3000.00000004.00000001.sdmpString found in binary or memory: http://en.w%
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: company certificate.exe, 00000003.00000003.362911620.0000000005F0E000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comH.
                  Source: company certificate.exe, 00000003.00000003.362324054.0000000005F0E000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comX
                  Source: company certificate.exe, 0000001A.00000002.538087217.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/foo
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: company certificate.exe, 0000000F.00000002.471058493.0000000000CB2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: WerFault.exe, 0000000E.00000002.426291480.0000000003530000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                  Source: company certificate.exe, 00000000.00000002.361193634.0000000002911000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.432948022.0000000002D81000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.528541780.0000000002C51000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.477772340.00000000028F1000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmp, company certificate.exe, 0000001A.00000002.538087217.0000000002BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                  Source: WerFault.exe, 0000000E.00000003.402874159.0000000005D20000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.462433457.0000000004DC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                  Source: company certificate.exe, 00000000.00000002.361448013.0000000002945000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.528893250.0000000002C8A000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.478180249.000000000292A000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509594597.00000000026CA000.00000004.00000001.sdmpString found in binary or memory: http://status.rapidssl.com0=
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.430160317.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.535852705.00000000040D5000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.406945041.0000000005A20000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.495748797.0000000003AC9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                  Source: company certificate.exe, 00000003.00000003.365807111.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: company certificate.exe, 00000003.00000003.371167764.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: company certificate.exe, 00000003.00000003.368208595.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: company certificate.exe, 00000003.00000003.368664071.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: company certificate.exe, 00000003.00000003.371167764.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                  Source: company certificate.exe, 00000003.00000003.370059754.0000000005ED8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: company certificate.exe, 00000003.00000003.371167764.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comL.TTF
                  Source: company certificate.exe, 00000003.00000002.439546544.0000000005ED0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaI
                  Source: company certificate.exe, 00000003.00000003.371167764.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
                  Source: company certificate.exe, 00000003.00000002.439546544.0000000005ED0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasva
                  Source: company certificate.exe, 00000003.00000003.371368959.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                  Source: company certificate.exe, 00000003.00000003.370755138.0000000005EDE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo
                  Source: company certificate.exe, 00000003.00000003.370059754.0000000005ED8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                  Source: company certificate.exe, 00000003.00000003.370059754.0000000005ED8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedm
                  Source: company certificate.exe, 00000003.00000003.370059754.0000000005ED8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionm
                  Source: company certificate.exe, 00000003.00000002.439546544.0000000005ED0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
                  Source: company certificate.exe, 00000003.00000003.370755138.0000000005EDE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                  Source: company certificate.exe, 00000003.00000003.370059754.0000000005ED8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: company certificate.exe, 00000003.00000002.439546544.0000000005ED0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comod
                  Source: company certificate.exe, 00000003.00000003.368208595.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefi
                  Source: company certificate.exe, 00000003.00000003.371167764.0000000005EDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
                  Source: company certificate.exe, 00000003.00000003.362158804.0000000000A9B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: company certificate.exe, 00000003.00000003.363670065.0000000005EE1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: company certificate.exe, 00000003.00000003.363693160.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cniai
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: company certificate.exe, 00000003.00000002.439546544.0000000005ED0000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: company certificate.exe, 00000003.00000003.366075775.0000000005ED7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//d
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
                  Source: company certificate.exe, 00000003.00000003.366075775.0000000005ED7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ief
                  Source: company certificate.exe, 00000003.00000003.366075775.0000000005ED7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
                  Source: company certificate.exe, 00000003.00000003.366688331.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
                  Source: company certificate.exe, 00000003.00000003.366075775.0000000005ED7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sm
                  Source: company certificate.exe, 00000003.00000003.366075775.0000000005ED7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
                  Source: vbc.exe, 00000018.00000002.436436751.00000000006D0000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMp
                  Source: company certificate.exe, 0000001A.00000002.534702713.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: company certificate.exe, 00000003.00000003.361952868.0000000005F0E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: company certificate.exe, 00000003.00000003.361538658.0000000000A9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.40
                  Source: company certificate.exe, 00000003.00000003.361952868.0000000005F0E000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comex
                  Source: company certificate.exe, 00000003.00000003.361538658.0000000000A9B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: company certificate.exe, 00000003.00000002.433061324.0000000002DEB000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: company certificate.exe, 00000003.00000003.365807111.0000000005ED2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlict
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: company certificate.exe, 00000003.00000002.440336165.00000000070E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: vbc.exe, 00000018.00000003.433321324.000000000232C000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
                  Source: vbc.exe, 00000018.00000003.434302232.000000000069E000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;or
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8H
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/media
                  Source: vbc.exe, 00000018.00000002.436547037.00000000006D7000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.
                  Source: vbc.exe, 00000018.00000003.433499918.000000000069C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                  Source: company certificate.exe, 00000000.00000002.361193634.0000000002911000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.528541780.0000000002C51000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.477772340.00000000028F1000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/11034993C59AC5C07B20687467073238.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/14B2AC6B97B24C31FF76FCE3CE0E49CE.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/16B43815BAB4EFE6749704A2080B64E9.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/2CDFCAB19318859AF668AE7A5A5041EC.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/57542D696A1025F7625292B7CC145348.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/5C519EAC017CA04C92D968C813E81624.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/64364A10CDDE143A286E03B2D0B47080.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/67038FC3562884EA0413BCBFC53D073E.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/6A071D5805C8601A560EBF9B738C134F.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/6C5CA465B47D44D0290D2047809B7E2D.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/6DFD3E685EF767E83A691AD1B333BBDE.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/7570F7DA73E60F0B0DA95536C9789D60.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/8186998821E16666BC375C53F0289070.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/925C31CCC028CA75143AE3F6FA8B1217.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/92C486B30AED6179B7C5C1072329CBE9.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/9492461B65B6BBA42EE290CEE36D78A1.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/973C68F4CB95A6DC2724A56BF4B71E7A.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/9FE68748F157444236AF889CF03248FB.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/A22BB998150C5A0C95D66CE10CBEC6D7.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/B24B28A064B07CFF9FA5F4163B26651E.html
                  Source: company certificate.exe, 00000009.00000002.528541780.0000000002C51000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.477772340.00000000028F1000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/B6335E45F5786D740EBA42E9FB47F21B.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/BD275894C0FD532F00C7EC83499B4EAC.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/BFB70F71B8D8C8602FC5378DBE3DAFA3.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/C4EFF0DBE2515DED6746B9D0CF7B7048.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/DCFA4645B06B5ED1E1087D7C7E06F48A.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/E96AAF636CAC3285A52A0AAEEA38D8CD.html
                  Source: company certificate.exe, 00000013.00000002.509102731.0000000002691000.00000004.00000001.sdmpString found in binary or memory: https://dfewfwefwefwefwe.000webhostapp.com/F6E31BBEEC57707C7C6129DB6410903E.html
                  Source: company certificate.exe, 00000000.00000002.362543653.00000000039B9000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000003.418884433.00000000040F6000.00000004.00000001.sdmp, company certificate.exe, 0000000F.00000002.492909224.00000000039F9000.00000004.00000001.sdmp, company certificate.exe, 00000013.00000002.521396823.0000000003799000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.466763151.0000000004D80000.00000004.000000