Loading ...

Play interactive tourEdit tour

Windows Analysis Report 60L3nw00Uk

Overview

General Information

Sample Name:60L3nw00Uk (renamed file extension from none to exe)
Analysis ID:474426
MD5:1e6ec142ba08c7deafd25bdea76f32d4
SHA1:6b52334ca53b1c604c5865e2ab49056b870808c5
SHA256:e773f60aeb241f884b4f932d7ddd4e31c87f31781d5bd53d8583b3d54807a449
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 60L3nw00Uk.exe (PID: 312 cmdline: 'C:\Users\user\Desktop\60L3nw00Uk.exe' MD5: 1E6EC142BA08C7DEAFD25BDEA76F32D4)
    • schtasks.exe (PID: 6832 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UaoePQDdm' /XML 'C:\Users\user\AppData\Local\Temp\tmp16F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 60L3nw00Uk.exe (PID: 6848 cmdline: C:\Users\user\Desktop\60L3nw00Uk.exe MD5: 1E6EC142BA08C7DEAFD25BDEA76F32D4)
      • vbc.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9B04.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5260 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp9795.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x15d586:$s1: HawkEye Keylogger
  • 0x15d5ef:$s1: HawkEye Keylogger
  • 0x1569c9:$s2: _ScreenshotLogger
  • 0x156996:$s3: _PasswordStealer
00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000016.00000002.523503971.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x147b0:$a1: logins.json
    • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x14f34:$s4: \mozsqlite3.dll
    • 0x137a4:$s5: SMTP Password
    00000016.00000002.523503971.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000006.00000002.605633875.0000000002E0F000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.3.60L3nw00Uk.exe.4565bd5.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          6.3.60L3nw00Uk.exe.45bdbda.1.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x11bb0:$a1: logins.json
          • 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x12334:$s4: \mozsqlite3.dll
          • 0x115a4:$s5: SMTP Password
          6.3.60L3nw00Uk.exe.45bdbda.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            2.2.60L3nw00Uk.exe.3a5c958.1.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x85e2e:$s1: HawkEye Keylogger
            • 0x85e97:$s1: HawkEye Keylogger
            • 0x7f271:$s2: _ScreenshotLogger
            • 0x7f23e:$s3: _PasswordStealer
            2.2.60L3nw00Uk.exe.3a5c958.1.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
            • 0x85801:$name: ConfuserEx
            • 0x8450e:$compile: AssemblyTitle
            Click to see the 39 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 60L3nw00Uk.exeMetadefender: Detection: 20%Perma Link
            Source: 60L3nw00Uk.exeReversingLabs: Detection: 65%
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\UaoePQDdm.exeMetadefender: Detection: 20%Perma Link
            Source: C:\Users\user\AppData\Roaming\UaoePQDdm.exeReversingLabs: Detection: 65%
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 60L3nw00Uk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: 60L3nw00Uk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 60L3nw00Uk.exe, 00000006.00000003.379220023.0000000004565000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: 60L3nw00Uk.exe, 00000006.00000002.605633875.0000000002E0F000.00000004.00000001.sdmp, vbc.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_0040938F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,7_2_00408CAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,22_2_0040702D
            Source: vbc.exe, 00000007.00000002.393778049.0000000000970000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logins+Q equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000002.393778049.0000000000970000.00000004.00000001.sdmpString found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logins+Q equals www.yahoo.com (Yahoo)
            Source: 60L3nw00Uk.exe, 00000006.00000003.379220023.0000000004565000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.393358492.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: 60L3nw00Uk.exe, 00000006.00000003.379220023.0000000004565000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.393358492.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
            Source: vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
            Source: vbc.exe, 00000007.00000003.392724368.000000000096E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
            Source: vbc.exe, 00000007.00000003.392724368.000000000096E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
            Source: 60L3nw00Uk.exe, 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://google.com/chrome
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: 60L3nw00Uk.exe, 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: 60L3nw00Uk.exe, 00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmp, 60L3nw00Uk.exe, 00000006.00000002.603039803.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: 60L3nw00Uk.exe, 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: 60L3nw00Uk.exe, 00000002.00000002.380209170.0000000002891000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: 60L3nw00Uk.exe, 00000002.00000002.379949260.0000000000E87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: 60L3nw00Uk.exe, 00000002.00000002.379949260.0000000000E87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com-
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: 60L3nw00Uk.exe, 00000002.00000002.379949260.0000000000E87000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comuevaq
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000007.00000003.390702879.0000000000954000.00000004.00000001.sdmp, bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390971803.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390405135.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390529179.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390440637.000000000096D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhv34B0.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 00000007.00000002.393310121.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, vbc.exe, 00000016.00000002.523503971.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: 60L3nw00Uk.exe, 00000002.00000003.344397438.0000000000E8C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: 60L3nw00Uk.exe, 00000002.00000002.385496954.0000000006912000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
            Source: vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.393778049.0000000000970000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390971803.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390529179.000000000096D000.00000004.00000001.sdmp, bhv34B0.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
            Source: 60L3nw00Uk.exe, 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
            Source: vbc.exe, 00000007.00000003.390702879.0000000000954000.00000004.00000001.sdmp, bhv34B0.tmp.7.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000007.00000003.391493195.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390971803.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390405135.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390323605.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390529179.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390440637.000000000096D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: vbc.exe, 00000007.00000003.391493195.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390971803.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390405135.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390323605.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390529179.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390440637.000000000096D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: vbc.exe, 00000007.00000003.390702879.0000000000954000.00000004.00000001.sdmp, bhv34B0.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: vbc.exe, 00000007.00000003.392724368.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.391493195.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.392472113.000000000096E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390971803.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390323605.0000000000963000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390529179.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390440637.000000000096D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: vbc.exe, 00000007.00000003.391493195.000000000096D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.390405135.0000000000963000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv34B0.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.382445641.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.603039803.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 60L3nw00Uk.exe PID: 312, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 60L3nw00Uk.exe PID: 6848, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,7_2_0040F078

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.3.60L3nw00Uk.exe.45bdbda.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 6.2.60L3nw00Uk.exe.3d91990.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 6.2.60L3nw00Uk.exe.3d91990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 6.3.60L3nw00Uk.exe.45bdbda.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 6.3.60L3nw00Uk.exe.4565890.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 6.3.60L3nw00Uk.exe.4565890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 6.3.60L3nw00Uk.exe.4565bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 6.2.60L3nw00Uk.exe.3cf5950.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000016.00000002.523503971.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000002.00000002.382445641.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000006.00000002.603039803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: 60L3nw00Uk.exe PID: 312, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: 60L3nw00Uk.exe PID: 6848, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 60L3nw00Uk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
            Source: 6.3.60L3nw00Uk.exe.45bdbda.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 6.2.60L3nw00Uk.exe.3d91990.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 22.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 6.2.60L3nw00Uk.exe.3d91990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 22.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 6.2.60L3nw00Uk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 6.3.60L3nw00Uk.exe.45bdbda.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 2.2.60L3nw00Uk.exe.3a5c958.1.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 6.3.60L3nw00Uk.exe.4565890.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 2.2.60L3nw00Uk.exe.39871a0.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 6.3.60L3nw00Uk.exe.4565890.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 6.3.60L3nw00Uk.exe.4565bd5.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 6.2.60L3nw00Uk.exe.3cf5950.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000016.00000002.523503971.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000002.00000002.382445641.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000006.00000002.603039803.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000006.00000002.604780389.0000000002D03000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: 60L3nw00Uk.exe PID: 312, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: 60L3nw00Uk.exe PID: 6848, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 2_2_004228932_2_00422893
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 2_2_00E5C5F42_2_00E5C5F4
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 2_2_00E5EA402_2_00E5EA40
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 2_2_00E5EA502_2_00E5EA50
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_008B28936_2_008B2893
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010320686_2_01032068
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010350B06_2_010350B0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010304D86_2_010304D8
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010399006_2_01039900
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010338E66_2_010338E6
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01030C486_2_01030C48
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01039F6B6_2_01039F6B
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01036FE76_2_01036FE7
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010341686_2_01034168
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010341786_2_01034178
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010371F06_2_010371F0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010345196_2_01034519
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010305276_2_01030527
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010345286_2_01034528
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010305626_2_01030562
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010335686_2_01033568
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010305A66_2_010305A6
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010305ED6_2_010305ED
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010339816_2_01033981
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010339D76_2_010339D7
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010329E96_2_010329E9
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010329F86_2_010329F8
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010378386_2_01037838
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010378486_2_01037848
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010358686_2_01035868
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010358786_2_01035878
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010348D06_2_010348D0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010348E06_2_010348E0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_010398FB6_2_010398FB
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033B1E6_2_01033B1E
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033B606_2_01033B60
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033BCE6_2_01033BCE
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033BF16_2_01033BF1
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033A026_2_01033A02
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033A776_2_01033A77
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033AAA6_2_01033AAA
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033ADD6_2_01033ADD
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033D406_2_01033D40
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033DA06_2_01033DA0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033DDD6_2_01033DDD
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033C1D6_2_01033C1D
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01030C356_2_01030C35
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033C736_2_01033C73
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01031F6E6_2_01031F6E
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01031F896_2_01031F89
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01038E166_2_01038E16
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033E1A6_2_01033E1A
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_01033E756_2_01033E75
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B914DD6_2_05B914DD
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B914156_2_05B91415
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B907786_2_05B90778
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B90EA86_2_05B90EA8
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B912956_2_05B91295
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B911346_2_05B91134
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B911746_2_05B91174
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B9170B6_2_05B9170B
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B912D56_2_05B912D5
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B916676_2_05B91667
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B9125A6_2_05B9125A
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA43106_2_05BA4310
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA4C006_2_05BA4C00
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BAFBC06_2_05BAFBC0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA90906_2_05BA9090
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA908B6_2_05BA908B
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BAC2B86_2_05BAC2B8
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BAC2C86_2_05BAC2C8
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA3FC06_2_05BA3FC0
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA8B706_2_05BA8B70
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05BA8B6B6_2_05BA8B6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0044900F7_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004042EB7_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004142817_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004102917_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004063BB7_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004156247_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0041668D7_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040477F7_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040487C7_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043589B7_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043BA9D7_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043FBD37_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404DE522_2_00404DE5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404E5622_2_00404E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404EC722_2_00404EC7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_00404F5822_2_00404F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 22_2_0040BF6B22_2_0040BF6B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
            Source: C:\Users\user\Desktop\60L3nw00Uk.exeCode function: 6_2_05B91398 NtUnmapViewOfSection,6_2_05B91398
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,7_2_0040978A
            Source: 60L3nw00Uk.exe, 00000002.00000002.381558466.0000000003987000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs 60L3nw00Uk.exe
            Source: 60L3nw00Uk.exe, 00000002.00000003.374214546.000000000E0E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIPathLo.exe( vs 60L3nw00Uk.exe
            Source: 60L3nw00Uk.exe, 00000002.00000002.383526468.0000000003D5A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs 60L3nw00Uk.exe