Loading ...

Play interactive tourEdit tour

Windows Analysis Report g4FtSOZMD9

Overview

General Information

Sample Name:g4FtSOZMD9 (renamed file extension from none to exe)
Analysis ID:547022
MD5:81f377eda4163da1b74cae83e38ced9f
SHA1:e50abaf01a9fd3ae8176b5b6117f6b8f8a355ec0
SHA256:a16d035ca37dbd7ab34c856f4cdf96a9898dcebba08c5801c99f3d3100ae6b3f
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Connects to many ports of the same IP (likely port scanning)
Yara detected VB6 Downloader Generic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Yara detected WebBrowserPassView password recovery tool
Sigma detected: Suspicious Svchost Process
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • g4FtSOZMD9.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
    • g4FtSOZMD9.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\g4FtSOZMD9.exe" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • svchost.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • g4FtSOZMD9.exe (PID: 5524 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • g4FtSOZMD9.exe (PID: 3920 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
      • g4FtSOZMD9.exe (PID: 5972 cmdline: C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr" MD5: 81F377EDA4163DA1B74CAE83E38CED9F)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}

Threatname: GuLoader

{"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000009.00000003.582459498.0000000001C39000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0xfc74:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000009.00000000.462063926.00000000017A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: g4FtSOZMD9.exe PID: 7068JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\g4FtSOZMD9.exe" , ParentImage: C:\Users\user\Desktop\g4FtSOZMD9.exe, ParentProcessId: 5452, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2948

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "nhtaxfilling.ddnsgeek.com:62758:1", "Assigned name": "1040", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "Clock.exe", "Startup value": "Clock", "Hide file": "Enable", "Mutex": "Remcos-UGB110", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Enable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Clock", "Keylog folder": "Clock", "Keylog file max size": "100000"}
          Source: 00000000.00000002.471018381.0000000002280000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://147.189.137.168/1040_RyQoPlW98.bin"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: g4FtSOZMD9.exeVirustotal: Detection: 22%Perma Link
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exeReversingLabs: Detection: 16%
          Source: 9.0.g4FtSOZMD9.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 0.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 21.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 22.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 0.2.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 9.0.g4FtSOZMD9.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: 23.0.g4FtSOZMD9.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
          Source: g4FtSOZMD9.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407898
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 23_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407C87

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49835 -> 147.189.137.168:80
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 207.32.218.236 ports 62758,2,5,6,7,8
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: nhtaxfilling.ddnsgeek.com
          Source: Malware configuration extractorURLs: http://147.189.137.168/1040_RyQoPlW98.bin
          Source: Joe Sandbox ViewASN Name: JANETJiscServicesLimitedGB JANETJiscServicesLimitedGB
          Source: Joe Sandbox ViewASN Name: 1GSERVERSUS 1GSERVERSUS
          Source: global trafficHTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache
          Source: global trafficTCP traffic: 192.168.2.6:49836 -> 207.32.218.236:62758
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: unknownTCP traffic detected without corresponding DNS query: 147.189.137.168
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
          Source: g4FtSOZMD9.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
          Source: g4FtSOZMD9.exe, 00000015.00000001.607183345.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
          Source: g4FtSOZMD9.exe, 00000009.00000002.620742317.0000000001AB0000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpString found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin
          Source: g4FtSOZMD9.exe, 00000009.00000002.620803230.0000000001BD7000.00000004.00000020.sdmpString found in binary or memory: http://147.189.137.168/1040_RyQoPlW98.bin~:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://google.com/chrome
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
          Source: g4FtSOZMD9.exe, 00000009.00000003.577311939.0000000020E52000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000002.624858543.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.596412607.0000000020E50000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000009.00000003.577281474.0000000020E41000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g?
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0B
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0E
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0F
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0K
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0R
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.msocsp.com0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ebuddy.com
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.com
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
          Source: g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.imvu.comr
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
          Source: bhvFAB7.tmp.21.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
          Source: g4FtSOZMD9.exe, 00000017.00000002.610475093.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: g4FtSOZMD9.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://pki.goog/repository/0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
          Source: g4FtSOZMD9.exe, g4FtSOZMD9.exe, 00000016.00000002.609624686.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/
          Source: g4FtSOZMD9.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
          Source: g4FtSOZMD9.exe, 00000015.00000003.616430526.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616818269.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616919140.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616667092.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616571537.0000000002283000.00000004.00000001.sdmp, g4FtSOZMD9.exe, 00000015.00000003.616756654.0000000002283000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
          Source: bhvFAB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
          Source: unknownDNS traffic detected: queries for: nhtaxfilling.ddnsgeek.com
          Source: global trafficHTTP traffic detected: GET /1040_RyQoPlW98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 147.189.137.168Cache-Control: no-cache

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\g4FtSOZMD9.exeJump to behavior
          Source: C:\Users\user\Desktop\g4FtSOZMD9.exeCode function: 22_2_0040BA30 GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,22_2_0040BA30

          E-Banking Fraud:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000009.00000002.620873156.0000000001C23000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: g4FtSOZMD9.exe PID: 5452, type: MEMORYSTR

          System Summary: