Analysis Report sample4.bin

Overview

General Information

Sample Name: sample4.bin (renamed file extension from bin to exe)
Analysis ID: 339451
MD5: 5009b8bcf024704c8b23e42c492f118c
SHA1: df607367a88b5610a224909efb8debeb0d90f487
SHA256: 30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc

Most interesting Screenshot:

Detection

IcedID
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: sample4.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: gegemony4you.top Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: sample4.exe Virustotal: Detection: 77% Perma Link
Source: sample4.exe ReversingLabs: Detection: 79%
Yara detected IcedID
Source: Yara match File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
Yara detected IcedID
Source: Yara match File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\sample4.exe Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack
Uses 32bit PE files
Source: sample4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2
Source: sample4.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source: Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_00125BE6

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.244.42.131 104.244.42.131
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: <a class="ac-gf-directory-column-section-link analytics-exitlink" data-analytics-event="link.click" data-analytics-link-component_type="Simple List" data-analytics-link-component_name="Apple Support Videos" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow">Apple Support Videos</a></li> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: "https://www.youtube.com/applesupport", equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: ccontent-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigita equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-66a7b38d8dab6de95efafad032bbc48'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: x-response-time106x-frame-optionsSAMEORIGINx-connection-hash395ee1170928cc07d57c2eb030caea0fstrict-transport-securitymax-age=631138519content-security-policydefault-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self'Persistent-AuthWWW-AuthenticateCookie,X-Twitter-Internal,X-Twitter-IP-TagsVarycms-csp-nonce=4f455c5f4ddc2e0bfe34643ab6a64d2; Max-Age=15; Expires=Thu, 14 Jan 2021 03:05:33 GMT; Path=/; Securect0=7258d2ba7a6c2d02c3400c3a2bdda373; Max-Age=21600; Expires=Thu, 14 Jan 2021 09:05:18 GMT; Path=/; Domain=.twitter.com; Secureguest_id=v1%3A161059351865331646; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Nonepersonalization_id="v1_SvL+XoOy6IEEqs+XhRe5GQ=="; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=NoneSet-Cookietsa_oServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocation"2ad86-5b8cc985f752d"ETagAuthentication-Info29766AgebytesAccept-RangesWed, 13 Jan 2021 18:49:12 GMTLast-ModifiedThu, 14 Jan 2021 03:15:18 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingapplication/javascriptContent-Type175494Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 14 Jan 2021 03:05:18 GMTDateProxy-ConnectionConnectionmax-age=600Cache-Controlp equals www.twitter.com (Twitter)
Source: unknown DNS traffic detected: queries for: g.msn.com
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: http://certs.apple.com/apevsrsa2g1.der06
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: http://crl.apple.com/apevsrsa2g1.crl0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.apple.com/ocsp03-apevsrsa2g1010
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: http://ogp.me/ns#
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: http://schema.org
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/Organization
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/VideoObject
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: http://www.apple.com/support/products/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://about.twitter.com/en_us/company.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://about.twitter.com/en_us/company/brand-resources.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://about.twitter.com/en_us/company/twitter-for-good.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://about.twitter.com/en_us/safety.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://abs.twimg.com/favicons/favicon.ico
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://api.twitter.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&amp;ct=support.footer&amp;mt=8
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.3.1.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://blog.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://blog.twitter.com/developer/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/allyship-right-now-black-lives-matter.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/covid-19.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://blog.twitter.com/engineering/en_us.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://business.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://business.twitter.com/en/advertising.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://business.twitter.com/en/help.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://business.twitter.com/en/resources.html
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://c3web.trafficmanager.net/topic/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://cards-dev.twitter.com/validator
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://careers.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://cdn.cms-twdigita
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://cdn.cms-twdigitalassets.com
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://cdn.goglobalwithtwitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://cdn.goglobalwithtwitter.com;
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://channel9.msdn.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://data.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://developer.twitter.com/en
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://developer.twitter.com/en/community
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://developer.twitter.com/en/docs
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://developer.twitter.com/en/more/developer-terms
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://discussions.apple.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://eus-streaming-video-rt-microsoft-com.akamaized.net/51e203bd-a709-4164-8298-4679bd089499/7681
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://feedback.digital-cloud-prem.medallia.com;
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp String found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp String found in binary or memory: https://getsupport.apple.com/?caller=home&amp;PRKEYS=
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ar
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/bg
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/bn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ca
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/contact-us
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/content/dam/help-twitter/brand/logo.png
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/cs
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/da
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/de
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/el
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/a-safer-twitter
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/contact-us
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/glossary
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/how-you-can-control-your-privacy
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#account-settings
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#deactivate-and-reactivate-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#login-and-password
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#notifications
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#suspended-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#username-email-and-phone
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account#verified-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account/how-to-add-a-phone-number-to-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/new-user-faq
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies#general-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies#research-and-experiments
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies#twitter-rules
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security#abuse
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security#ads-and-data-privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security#hacked-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security#sensitive-content
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security#spam-and-fake-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security/account-security-tips
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security/control-your-twitter-experience
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/twitter-guide
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#blocking-and-muting
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#fleets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#following-people-and-groups
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#search-and-trends
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#tweets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-on-your-device
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-voices
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#using-periscope
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter#website-and-app-integrations
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter/direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter/mentions-and-replies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/en/using-twitter/twitter-videos
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/es
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/fa
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/fi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/fil
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/fr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/gu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/he
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/hi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/hr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/hu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/id
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/it
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ja
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/kn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ko
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/mr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ms
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/nl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/no
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/pl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/pt
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ru
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/sk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/sr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/sv
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/ta
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/th
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/tr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/uk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/vi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/zh-cn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://help.twitter.com/zh-tw
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sOli
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://investor.twitterinc.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://km.support.apple.com/etc/designs/support/publish/commons.min.js
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp String found in binary or memory: https://locate.apple.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/logout.srf?ct=1610593513
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post
Source: sample4.exe, 00000000.00000003.530694107.0000000001521000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post&amp;response_type=
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://marketing.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://marketing.twitter.com/en/insights
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://marketing.twitter.com/en/success-stories
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://media.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://office.com/start
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/about/en-us/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://osiprodweuodcspstoa01.blob.core.windows.net
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://outlook.live.com/owa/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://pbs.twimg.com/tweet_video_thumb/EAa_YvRU4AAH-IN.jpg:large
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://platform.twitter.com/widgets.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://privacy.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://products.office.com/en-us/academic/compare-office-365-education-plans
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://resources.digital-cloud-prem.medallia.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://s1259914507.t.eloqua.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://schema.org
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://static.ads-twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://status.twitterstat.us/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://support.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://support.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/ar-jo
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/de-de
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/en-ae
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/en-eg
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/en-me
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/fr-ci
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/fr-gq
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/pt-pt
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://support.apple.com/ro-ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://support.twitter.com/forms/get_help_now
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://support.xbox.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://support.xbox.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://syndication.twitter.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://templates.office.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://templates.office.com/collection-family-activities
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://transparency.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/AppleSupport
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/applesupport
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/i/csp_report;
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/i/jot
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/intent/follow?user_id=17874544&screen_name=TwitterSupport
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/login?redirect_after_login=https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/logout
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/signup
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/tos
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://twittercommunity.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://udc-neb.kampyle.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://www.apple.com/certificateauthority/public/.0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://www.apple.com/certificateauthority/public/0
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/ipad/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/iphone/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/legal/internet-services/terms/site.html
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/legal/privacy/en-ww/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/legal/sla/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/legal/warranty/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/mac/
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/retail/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/shop/goto/help/sales_refunds
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/sitemap/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/watch/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/rpa-ua0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayEditProfilePage/tab.profile
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.onenote.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.skype.com/en/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp String found in binary or memory: https://www.twitterflightschool.com/sl/382652bc
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.wikidata.org/wiki/Q65129345
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp String found in binary or memory: https://www.xbox.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/applesupport
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0012D175 GetPropW,GlobalFix,SendMessageW,GlobalUnWire,RemovePropW,GlobalFree,GlobalUnWire,GetAsyncKeyState,SendMessageW, 0_2_0012D175

E-Banking Fraud:

barindex
Yara detected IcedID
Source: Yara match File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
Yara detected IcedID
Source: Yara match File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\sample4.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0026404F 0_2_0026404F
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0026416F 0_2_0026416F
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0024C56C 0_2_0024C56C
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0017A7C0 0_2_0017A7C0
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00264847 0_2_00264847
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0025098E 0_2_0025098E
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00152C34 0_2_00152C34
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00256C80 0_2_00256C80
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00290890 0_2_00290890
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00290683 0_2_00290683
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\sample4.exe Code function: String function: 0024972F appears 62 times
Source: C:\Users\user\Desktop\sample4.exe Code function: String function: 00249810 appears 35 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
PE file contains strange resources
Source: sample4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: sample4.exe, 00000000.00000002.568529716.0000000001370000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs sample4.exe
Source: sample4.exe, 00000000.00000002.567097557.00000000002C4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe
Source: sample4.exe Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe
Uses 32bit PE files
Source: sample4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/20@8/2
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0012D0B0 FindResourceW,LoadResource,LockResource,GlobalFree, 0_2_0012D0B0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmp Jump to behavior
Source: sample4.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sample4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: sample4.exe Virustotal: Detection: 77%
Source: sample4.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\sample4.exe 'C:\Users\user\Desktop\sample4.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224
Source: sample4.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: sample4.exe Static file information: File size 2136576 > 1048576
Source: sample4.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b0400
Source: sample4.exe Static PE information: More than 200 imports for USER32.dll
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sample4.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: sample4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source: Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\sample4.exe Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack .text:ER;.data:W;.idata:R;.gfids:R;.giats:R;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;bss:W;.rdata:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\sample4.exe Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree, 0_2_000D1ECF
PE file contains sections with non-standard names
Source: sample4.exe Static PE information: section name: .giats
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_002496F8 push ecx; ret 0_2_0024970B
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00249856 push ecx; ret 0_2_00249869

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D18E0 SwitchToThread,__aulldiv, 0_2_000D18E0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D18E0 rdtsc 0_2_000D18E0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\sample4.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\sample4.exe API coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sample4.exe TID: 1180 Thread sleep time: -150000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\sample4.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_00125BE6
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00116FA9 GetEnvironmentVariableW,GetSystemInfo,FindFirstChangeNotificationW,GetEnvironmentVariableW, 0_2_00116FA9
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\sample4.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\sample4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D18E0 rdtsc 0_2_000D18E0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0024F646
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_001183DE OutputDebugStringA,GetLastError, 0_2_001183DE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree, 0_2_000D1ECF
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0025D81F mov eax, dword ptr fs:[00000030h] 0_2_0025D81F
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00259EEC mov eax, dword ptr fs:[00000030h] 0_2_00259EEC
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h] 0_2_0028FB73
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h] 0_2_0028FB73
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0028F73F push dword ptr fs:[00000030h] 0_2_0028F73F
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h] 0_2_013004FD
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h] 0_2_013004FD
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_013000C9 push dword ptr fs:[00000030h] 0_2_013000C9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D121E GetCommandLineA,StrStrIA,StrToIntA,GetTempPathA,wsprintfA,GetProcessHeap,HeapFree, 0_2_000D121E
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0024F646
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_002498CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_002498CA
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D18E0 cpuid 0_2_000D18E0
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_000D1DD9 wsprintfW,GetComputerNameExA,GetUserNameA,wsprintfW,wsprintfW,wsprintfW, 0_2_000D1DD9
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_0025BCE8 GetTimeZoneInformation, 0_2_0025BCE8
Source: C:\Users\user\Desktop\sample4.exe Code function: 0_2_00131386 RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,SendMessageW,__EH_prolog3_GS,GetVersionExW,_wcschr, 0_2_00131386

Stealing of Sensitive Information:

barindex
Yara detected IcedID
Source: Yara match File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
Yara detected IcedID
Source: Yara match File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected IcedID
Source: Yara match File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
Yara detected IcedID
Source: Yara match File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339451 Sample: sample4.bin Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 30 g.msn.com 2->30 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 7 sample4.exe 2->7         started        signatures3 process4 dnsIp5 32 gegemony4you.top 7->32 34 s.twitter.com 104.244.42.131, 443, 49761 TWITTERUS United States 7->34 36 7 other IPs or domains 7->36 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Contains functionality to detect hardware virtualization (CPUID execution measurement) 7->50 11 WerFault.exe 9 7->11         started        14 WerFault.exe 9 7->14         started        16 WerFault.exe 9 7->16         started        18 2 other processes 7->18 signatures6 process7 file8 20 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->20 dropped 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->28 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.244.42.131
 unknown United States
13414 TWITTERUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
s.twitter.com 104.244.42.131 true
support.oracle.com unknown unknown
www.oracle.com unknown unknown
g.msn.com unknown unknown
help.twitter.com unknown unknown
www.intel.com unknown unknown
gegemony4you.top unknown unknown
www.intel.ch unknown unknown
corpredirect.intel.com unknown unknown