Loading ...

Play interactive tourEdit tour

Analysis Report sample4.bin

Overview

General Information

Sample Name:sample4.bin (renamed file extension from bin to exe)
Analysis ID:339451
MD5:5009b8bcf024704c8b23e42c492f118c
SHA1:df607367a88b5610a224909efb8debeb0d90f487
SHA256:30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc

Most interesting Screenshot:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected IcedID
Yara detected IcedID
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • sample4.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\sample4.exe' MD5: 5009B8BCF024704C8B23E42C492F118C)
    • WerFault.exe (PID: 1488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 620 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmpJoeSecurity_IcedID_3Yara detected IcedIDJoe Security
    00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmpJoeSecurity_IcedID_3Yara detected IcedIDJoe Security
      Process Memory Space: sample4.exe PID: 2100JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.sample4.exe.d0000.0.unpackJoeSecurity_IcedID_3Yara detected IcedIDJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: sample4.exeAvira: detected
          Multi AV Scanner detection for domain / URLShow sources
          Source: gegemony4you.topVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: sample4.exeVirustotal: Detection: 77%Perma Link
          Source: sample4.exeReversingLabs: Detection: 79%
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\sample4.exeUnpacked PE file: 0.2.sample4.exe.d0000.0.unpack
          Source: sample4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownHTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2
          Source: sample4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
          Source: Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
          Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,0_2_00125BE6
          Source: Joe Sandbox ViewIP Address: 104.244.42.131 104.244.42.131
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: <a class="ac-gf-directory-column-section-link analytics-exitlink" data-analytics-event="link.click" data-analytics-link-component_type="Simple List" data-analytics-link-component_name="Apple Support Videos" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow">Apple Support Videos</a></li> equals www.youtube.com (Youtube)
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.youtube.com (Youtube)
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: "https://www.youtube.com/applesupport", equals www.youtube.com (Youtube)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: ccontent-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigita equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-66a7b38d8dab6de95efafad032bbc48'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: x-response-time106x-frame-optionsSAMEORIGINx-connection-hash395ee1170928cc07d57c2eb030caea0fstrict-transport-securitymax-age=631138519content-security-policydefault-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://*.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://*.twitter.com; img-src 'self' https://*.twimg.com https://*.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://*.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://*.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self'Persistent-AuthWWW-AuthenticateCookie,X-Twitter-Internal,X-Twitter-IP-TagsVarycms-csp-nonce=4f455c5f4ddc2e0bfe34643ab6a64d2; Max-Age=15; Expires=Thu, 14 Jan 2021 03:05:33 GMT; Path=/; Securect0=7258d2ba7a6c2d02c3400c3a2bdda373; Max-Age=21600; Expires=Thu, 14 Jan 2021 09:05:18 GMT; Path=/; Domain=.twitter.com; Secureguest_id=v1%3A161059351865331646; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Nonepersonalization_id="v1_SvL+XoOy6IEEqs+XhRe5GQ=="; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=NoneSet-Cookietsa_oServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocation"2ad86-5b8cc985f752d"ETagAuthentication-Info29766AgebytesAccept-RangesWed, 13 Jan 2021 18:49:12 GMTLast-ModifiedThu, 14 Jan 2021 03:15:18 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingapplication/javascriptContent-Type175494Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 14 Jan 2021 03:05:18 GMTDateProxy-ConnectionConnectionmax-age=600Cache-Controlp equals www.twitter.com (Twitter)
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: http://certs.apple.com/apevsrsa2g1.der06
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: http://crl.apple.com/apevsrsa2g1.crl0
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.apple.com/ocsp03-apevsrsa2g1010
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: http://schema.org
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/Organization
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/VideoObject
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: http://www.apple.com/support/products/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://about.twitter.com/en_us/company.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://about.twitter.com/en_us/company/brand-resources.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://about.twitter.com/en_us/company/twitter-for-good.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://about.twitter.com/en_us/safety.html
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://abs.twimg.com/favicons/favicon.ico
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://api.twitter.com
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&amp;ct=support.footer&amp;mt=8
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.3.1.js
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://blog.twitter.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://blog.twitter.com/developer/
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/allyship-right-now-black-lives-matter.html
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/covid-19.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://blog.twitter.com/engineering/en_us.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://business.twitter.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://business.twitter.com/en/advertising.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://business.twitter.com/en/help.html
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://business.twitter.com/en/resources.html
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://c3web.trafficmanager.net/topic/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://cards-dev.twitter.com/validator
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://careers.twitter.com/
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://cdn.cms-twdigita
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://cdn.cms-twdigitalassets.com
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://cdn.goglobalwithtwitter.com
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://cdn.goglobalwithtwitter.com;
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://channel9.msdn.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://data.twitter.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://developer.twitter.com/en
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://developer.twitter.com/en/community
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://developer.twitter.com/en/docs
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://developer.twitter.com/en/more/developer-terms
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://discussions.apple.com
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://eus-streaming-video-rt-microsoft-com.akamaized.net/51e203bd-a709-4164-8298-4679bd089499/7681
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://feedback.digital-cloud-prem.medallia.com;
          Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmpString found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
          Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmpString found in binary or memory: https://getsupport.apple.com/?caller=home&amp;PRKEYS=
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ar
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/bg
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/bn
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ca
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/contact-us
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/content/dam/help-twitter/brand/logo.png
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/cs
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/da
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/de
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/el
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/a-safer-twitter
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/contact-us
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/glossary
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/how-you-can-control-your-privacy
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#account-settings
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#deactivate-and-reactivate-accounts
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#login-and-password
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#notifications
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#suspended-accounts
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#username-email-and-phone
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account#verified-accounts
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account/how-to-add-a-phone-number-to-your-account
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/new-user-faq
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies#general-policies
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies#research-and-experiments
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies#twitter-rules
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-cookies
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-rules
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security#abuse
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security#ads-and-data-privacy
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security#hacked-account
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security#sensitive-content
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security#spam-and-fake-accounts
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security/account-security-tips
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security/control-your-twitter-experience
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/twitter-guide
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#blocking-and-muting
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#direct-messages
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#fleets
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#following-people-and-groups
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#search-and-trends
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#tweets
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-on-your-device
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-voices
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#using-periscope
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter#website-and-app-integrations
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter/direct-messages
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter/mentions-and-replies
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/en/using-twitter/twitter-videos
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/es
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/fa
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/fi
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/fil
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/fr
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/gu
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/he
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/hi
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/hr
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/hu
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/id
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/it
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ja
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/kn
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ko
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/mr
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ms
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/nl
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/no
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/pl
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/pt
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ro
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ru
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/rules-and-policies/twitter-cookies
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/sk
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/sr
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/sv
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/ta
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/th
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/tr
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/uk
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/vi
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/zh-cn
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://help.twitter.com/zh-tw
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sOli
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://investor.twitterinc.com/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://km.support.apple.com/etc/designs/support/publish/commons.min.js
          Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmpString found in binary or memory: https://locate.apple.com/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logout.srf?ct=1610593513
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post
          Source: sample4.exe, 00000000.00000003.530694107.0000000001521000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post&amp;response_type=
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://marketing.twitter.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://marketing.twitter.com/en/insights
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://marketing.twitter.com/en/success-stories
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://media.twitter.com/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://office.com/start
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/about/en-us/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://osiprodweuodcspstoa01.blob.core.windows.net
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://outlook.live.com/owa/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://pbs.twimg.com/tweet_video_thumb/EAa_YvRU4AAH-IN.jpg:large
          Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://platform.twitter.com/widgets.js
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://privacy.twitter.com/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://products.office.com/en-us/academic/compare-office-365-education-plans
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://resources.digital-cloud-prem.medallia.com
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://s1259914507.t.eloqua.com
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://schema.org
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://static.ads-twitter.com
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://status.twitterstat.us/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://support.apple.com/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://support.apple.com/#organization
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/ar-jo
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/de-de
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/en-ae
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/en-eg
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/en-me
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/fr-ci
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/fr-gq
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/pt-pt
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/ro-ro
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://support.twitter.com/forms/get_help_now
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://support.xbox.com
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://support.xbox.com/
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://syndication.twitter.com
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://templates.office.com/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://templates.office.com/collection-family-activities
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://transparency.twitter.com/
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/AppleSupport
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/applesupport
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/i/csp_report;
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/i/jot
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/follow?user_id=17874544&screen_name=TwitterSupport
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/login?redirect_after_login=https://help.twitter.com/en
          Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/logout
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/privacy
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/signup
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/tos
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://twittercommunity.com/
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://udc-neb.kampyle.com/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/#organization
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://www.apple.com/certificateauthority/public/.0
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://www.apple.com/certificateauthority/public/0
          Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/ipad/
          Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/iphone/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/legal/internet-services/terms/site.html
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/legal/privacy/en-ww/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/legal/sla/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/legal/warranty/
          Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/mac/
          Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/retail/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/shop/goto/help/sales_refunds
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/sitemap/
          Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.apple.com/watch/
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/rpa-ua0
          Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayEditProfilePage/tab.profile
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.onenote.com/
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.skype.com/en/
          Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmpString found in binary or memory: https://www.twitterflightschool.com/sl/382652bc
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.wikidata.org/wiki/Q65129345
          Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmpString found in binary or memory: https://www.xbox.com/
          Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/applesupport
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownHTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0012D175 GetPropW,GlobalFix,SendMessageW,GlobalUnWire,RemovePropW,GlobalFree,GlobalUnWire,GetAsyncKeyState,SendMessageW,0_2_0012D175

          E-Banking Fraud:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\sample4.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0026404F0_2_0026404F
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0026416F0_2_0026416F
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0024C56C0_2_0024C56C
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0017A7C00_2_0017A7C0
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_002648470_2_00264847
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0025098E0_2_0025098E
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_00152C340_2_00152C34
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_00256C800_2_00256C80
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_002908900_2_00290890
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_002906830_2_00290683
          Source: C:\Users\user\Desktop\sample4.exeCode function: String function: 0024972F appears 62 times
          Source: C:\Users\user\Desktop\sample4.exeCode function: String function: 00249810 appears 35 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
          Source: sample4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sample4.exe, 00000000.00000002.568529716.0000000001370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs sample4.exe
          Source: sample4.exe, 00000000.00000002.567097557.00000000002C4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamearra.exe` vs sample4.exe
          Source: sample4.exeBinary or memory string: OriginalFilenamearra.exe` vs sample4.exe
          Source: sample4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/20@8/2
          Source: C:\Users\user\Desktop\sample4.exeCode function: 0_2_0012D0B0 FindResourceW,LoadResource,LockResource,GlobalFree,0_2_0012D0B0
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmpJump to behavior
          Source: sample4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\sample4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\sample4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\sample4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: sample4.exeVirustotal: Detection: 77%
          Source: sample4.exeReversingLabs: Detection: 79%
          Source: unknownProcess created: C:\Users\user\Desktop\sample4.exe 'C:\Users\user\Desktop\sample4.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224
          Source: sample4.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: sample4.exeStatic file information: File size 2136576 > 1048576
          Source: sample4.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b0400
          Source: sample4.exeStatic PE information: More than 200 imports for USER32.dll
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: sample4.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: sample4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
          Source: Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.