Play interactive tour

Edit tour

Analysis Report sample4.bin

Overview

General Information

Sample Name:	sample4.bin (renamed file extension from bin to exe)
Analysis ID:	339451
MD5:	5009b8bcf024704c8b23e42c492f118c
SHA1:	df607367a88b5610a224909efb8debeb0d90f487
SHA256:	30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected IcedID

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

sample4.exe (PID: 2100 cmdline: 'C:\Users\user\Desktop\sample4.exe' MD5: 5009B8BCF024704C8B23E42C492F118C)

WerFault.exe (PID: 1488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 620 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5764 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security
Process Memory Space: sample4.exe PID: 2100	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.sample4.exe.d0000.0.unpack	JoeSecurity_IcedID_3	Yara detected IcedID	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sample4.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: gegemony4you.top

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: sample4.exe	Virustotal: Detection: 77%			Perma Link
Source: sample4.exe	ReversingLabs: Detection: 79%

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack

Source: sample4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2

Source: sample4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

Source: Joe Sandbox View

IP Address: 104.244.42.131 104.244.42.131

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="ac-gf-directory-column-section-link analytics-exitlink" data-analytics-event="link.click" data-analytics-link-component_type="Simple List" data-analytics-link-component_name="Apple Support Videos" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow">Apple Support Videos</a></li> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: <a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit @AppleSupport on Twitter" data-analytics-link-url="https://twitter.com/AppleSupport" href="https://twitter.com/AppleSupport"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-twitter.png" alt="Visit @AppleSupport on Twitter" width="32" class="as-social-channel-img" height="32"></a><a class="as-social-channel-link analytics-exitlink" data-analytics-event="link.component_click" data-analytics-link-component_type="Social Channel" data-analytics-link-component_name="Visit Apple Support on YouTube" data-analytics-link-url="https://www.youtube.com/applesupport" href="https://www.youtube.com/applesupport" rel="nofollow"><img src="/content/dam/edam/applecare/images/en_US/more_icons/social-icon-youtube.png" alt="Visit Apple Support on YouTube" width="32" class="as-social-channel-img" height="32"></a></div> equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: "https://www.youtube.com/applesupport", equals www.youtube.com (Youtube)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: ccontent-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigita equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: content-security-policy: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-66a7b38d8dab6de95efafad032bbc48'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self' equals www.twitter.com (Twitter)
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: x-response-time106x-frame-optionsSAMEORIGINx-connection-hash395ee1170928cc07d57c2eb030caea0fstrict-transport-securitymax-age=631138519content-security-policydefault-src 'self' ; connect-src 'self' https://api.twitter.com https://syndication.twitter.com https://www.google-analytics.com https://.tt.omtrdc.net https://s1259914507.t.eloqua.com https://resources.digital-cloud-prem.medallia.com https://udc-neb.kampyle.com/ https://feedback.digital-cloud-prem.medallia.com; font-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com data:; frame-src 'self' https://twitter.com https://.twitter.com; img-src 'self' https://.twimg.com https://.twitter.com https://www.google-analytics.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com https://twitter.com/i/jot https://udc-neb.kampyle.com/ data:; media-src 'self' https://.twimg.com https://.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; object-src 'self' ; script-src 'self' 'sha256-ppW1Vv+qSVcs+/pIj1ZXvMiCLoyHyCdRqtDMeK9fQ9w=' https://.twitter.com https://static.ads-twitter.com 'nonce-4f455c5f4ddc2e0bfe34643ab6a64d2'; style-src 'self' 'unsafe-inline' https://.twimg.com https://*.twitter.com https://cdn.cms-twdigitalassets.com https://cdn.goglobalwithtwitter.com; report-uri https://twitter.com/i/csp_report; frame-ancestors 'self'Persistent-AuthWWW-AuthenticateCookie,X-Twitter-Internal,X-Twitter-IP-TagsVarycms-csp-nonce=4f455c5f4ddc2e0bfe34643ab6a64d2; Max-Age=15; Expires=Thu, 14 Jan 2021 03:05:33 GMT; Path=/; Securect0=7258d2ba7a6c2d02c3400c3a2bdda373; Max-Age=21600; Expires=Thu, 14 Jan 2021 09:05:18 GMT; Path=/; Domain=.twitter.com; Secureguest_id=v1%3A161059351865331646; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Nonepersonalization_id="v1_SvL+XoOy6IEEqs+XhRe5GQ=="; Max-Age=63072000; Expires=Sat, 14 Jan 2023 03:05:18 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=NoneSet-Cookietsa_oServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocation"2ad86-5b8cc985f752d"ETagAuthentication-Info29766AgebytesAccept-RangesWed, 13 Jan 2021 18:49:12 GMTLast-ModifiedThu, 14 Jan 2021 03:15:18 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingapplication/javascriptContent-Type175494Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 14 Jan 2021 03:05:18 GMTDateProxy-ConnectionConnectionmax-age=600Cache-Controlp equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://certs.apple.com/apevsrsa2g1.der06
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://crl.apple.com/apevsrsa2g1.crl0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp03-apevsrsa2g1010
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns#
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/Organization
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/VideoObject
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com/support/products/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company/brand-resources.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/company/twitter-for-good.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://about.twitter.com/en_us/safety.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://abs.twimg.com/favicons/favicon.ico
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://api.twitter.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://apps.apple.com/app/apple-store/id1130498044?pt=2003&ct=support.footer&mt=8
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.3.1.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/developer/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/allyship-right-now-black-lives-matter.html
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/en_us/topics/company/2020/covid-19.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://blog.twitter.com/engineering/en_us.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/advertising.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/help.html
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://business.twitter.com/en/resources.html
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://c3web.trafficmanager.net/topic/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://cards-dev.twitter.com/validator
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://careers.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigita
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigitalassets.com
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.goglobalwithtwitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.goglobalwithtwitter.com;
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://channel9.msdn.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://data.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/community
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/docs
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://developer.twitter.com/en/more/developer-terms
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://discussions.apple.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://eus-streaming-video-rt-microsoft-com.akamaized.net/51e203bd-a709-4164-8298-4679bd089499/7681
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://feedback.digital-cloud-prem.medallia.com;
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://getsupport.apple.com/?caller=home&PRKEYS=
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ar
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/bg
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/bn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ca
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/contact-us
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/content/dam/help-twitter/brand/logo.png
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/cs
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/da
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/de
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/el
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/a-safer-twitter
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/contact-us
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/glossary
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/how-you-can-control-your-privacy
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#account-settings
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#deactivate-and-reactivate-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#login-and-password
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#notifications
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#suspended-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#username-email-and-phone
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account#verified-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/forgotten-or-lost-password-reset
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/how-to-add-a-phone-number-to-your-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/new-user-faq
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#general-policies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#research-and-experiments
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies#twitter-rules
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/rules-and-policies/twitter-rules
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#abuse
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#ads-and-data-privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#hacked-account
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#sensitive-content
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security#spam-and-fake-accounts
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/account-security-tips
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/control-your-twitter-experience
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/twitter-guide
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#blocking-and-muting
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#fleets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#following-people-and-groups
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#search-and-trends
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#tweets
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-on-your-device
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#twitter-voices
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#using-periscope
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter#website-and-app-integrations
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/direct-messages
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/mentions-and-replies
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/en/using-twitter/twitter-videos
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/es
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fa
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fil
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/fr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/gu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/he
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/hu
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/id
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/it
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ja
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/kn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ko
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/mr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ms
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/nl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/no
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/pl
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/pt
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ru
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/rules-and-policies/twitter-cookies
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/sv
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/ta
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/th
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/tr
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/uk
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/vi
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/zh-cn
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://help.twitter.com/zh-tw
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sOli
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://investor.twitterinc.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://km.support.apple.com/etc/designs/support/publish/commons.min.js
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://locate.apple.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/logout.srf?ct=1610593513
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post
Source: sample4.exe, 00000000.00000003.530694107.0000000001521000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post&response_type=
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/en/insights
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://marketing.twitter.com/en/success-stories
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://media.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/en-us/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://osiprodweuodcspstoa01.blob.core.windows.net
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.live.com/owa/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://pbs.twimg.com/tweet_video_thumb/EAa_YvRU4AAH-IN.jpg:large
Source: sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://platform.twitter.com/widgets.js
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://privacy.twitter.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://products.office.com/en-us/academic/compare-office-365-education-plans
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://resources.digital-cloud-prem.medallia.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://s1259914507.t.eloqua.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://schema.org
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://static.ads-twitter.com
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://status.twitterstat.us/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/ar-jo
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/de-de
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-ae
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-eg
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/en-me
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/fr-ci
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/fr-gq
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/pt-pt
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://support.apple.com/ro-ro
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://support.twitter.com/forms/get_help_now
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://support.xbox.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://support.xbox.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://syndication.twitter.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://templates.office.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://templates.office.com/collection-family-activities
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://transparency.twitter.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/AppleSupport
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/applesupport
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/i/csp_report;
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/i/jot
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/intent/follow?user_id=17874544&screen_name=TwitterSupport
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/login?redirect_after_login=https://help.twitter.com/en
Source: sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/logout
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/privacy
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/signup
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/tos
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://twittercommunity.com/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://udc-neb.kampyle.com/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/#organization
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.apple.com/certificateauthority/public/.0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.apple.com/certificateauthority/public/0
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/ipad/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/iphone/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/internet-services/terms/site.html
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/privacy/en-ww/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/sla/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/legal/warranty/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/mac/
Source: sample4.exe, 00000000.00000002.577897876.0000000003C04000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/retail/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/shop/goto/help/sales_refunds
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/sitemap/
Source: sample4.exe, 00000000.00000003.545246856.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/watch/
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: sample4.exe, 00000000.00000002.571424738.0000000001539000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/rpa-ua0
Source: sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayEditProfilePage/tab.profile
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.skype.com/en/
Source: sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitterflightschool.com/sl/382652bc
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.wikidata.org/wiki/Q65129345
Source: sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	String found in binary or memory: https://www.xbox.com/
Source: sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/applesupport

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: unknown

HTTPS traffic detected: 104.244.42.131:443 -> 192.168.2.3:49761 version: TLS 1.2

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0012D175 GetPropW,GlobalFix,SendMessageW,GlobalUnWire,RemovePropW,GlobalFree,GlobalUnWire,GetAsyncKeyState,SendMessageW,

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\sample4.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0026404F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0026416F
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0024C56C
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0017A7C0
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00264847
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0025098E
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00152C34
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00256C80
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00290890
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00290683

Source: C:\Users\user\Desktop\sample4.exe	Code function: String function: 0024972F appears 62 times
Source: C:\Users\user\Desktop\sample4.exe	Code function: String function: 00249810 appears 35 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768

Source: sample4.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: sample4.exe, 00000000.00000002.568529716.0000000001370000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs sample4.exe
Source: sample4.exe, 00000000.00000002.567097557.00000000002C4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe
Source: sample4.exe	Binary or memory string: OriginalFilenamearra.exe` vs sample4.exe

Source: sample4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/20@8/2

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0012D0B0 FindResourceW,LoadResource,LockResource,GlobalFree,

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmp

Jump to behavior

Source: sample4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sample4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\sample4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\sample4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample4.exe	Virustotal: Detection: 77%
Source: sample4.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\sample4.exe 'C:\Users\user\Desktop\sample4.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224

Source: sample4.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: sample4.exe

Static file information: File size 2136576 > 1048576

Source: sample4.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b0400

Source: sample4.exe

Static PE information: More than 200 imports for USER32.dll

Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sample4.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sample4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: sample4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbT source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb6 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb7 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.373483424.0000000004FC2000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb) source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb? source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbt source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb- source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb, source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbl source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb1 source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb7 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbH source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb# source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb~ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdbT source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb1 source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb/ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb) source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb/ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb& source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb` source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: oleacc.pdb^ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb" source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb= source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: c:\Schoolwheel\Commontie\hithere\anyhit\Subtractmountain\TakeLand\Whilecardstone.pdb source: sample4.exe
Source:	Binary string: nsi.pdb_ source: WerFault.exe, 00000011.00000003.373534997.0000000004FD3000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391511057.0000000004C84000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbh source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb; source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416219741.00000000052E6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441846238.0000000005776000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: oleacc.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb; source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdbJ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb# source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbZ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb5 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb- source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb% source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: msimg32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbF source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb, source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000011.00000003.368397809.0000000004C0E000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385905313.0000000004A4D000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.409232348.0000000002FAA000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.436877307.00000000051E4000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb# source: WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb@ source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.368794303.0000000003011000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.385888353.0000000002BCD000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbv source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdbr source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb: source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb^ source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb_ source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbF source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbj source: WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: webio.pdb< source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.373517949.0000000004FC0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.392471616.0000000004C70000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416196678.00000000052E0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441883039.0000000005770000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462446132.0000000005670000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb0 source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.373522458.0000000004FC5000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391461414.0000000004C72000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416001893.00000000052E2000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441781418.0000000005772000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462324420.0000000005672000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000011.00000003.373489768.0000000004FC8000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.416249388.00000000052E9000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.441899613.0000000005779000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb9 source: WerFault.exe, 00000015.00000003.391486327.0000000004C79000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.373470183.0000000004EC1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.392291844.0000000004CA1000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.416079337.0000000005311000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.441828979.0000000005681000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.462365505.00000000056A1000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000023.00000003.462334524.0000000005679000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack .text:ER;.data:W;.idata:R;.gfids:R;.giats:R;.tls:W;.rsrc:R;.reloc:R; vs .text:ER;bss:W;.rdata:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Unpacked PE file: 0.2.sample4.exe.d0000.0.unpack

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,

Source: sample4.exe

Static PE information: section name: .giats

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_002496F8 push ecx; ret
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00249856 push ecx; ret

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 SwitchToThread,__aulldiv,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 rdtsc

Source: C:\Users\user\Desktop\sample4.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\sample4.exe

API coverage: 8.6 %

Source: C:\Users\user\Desktop\sample4.exe TID: 1180

Thread sleep time: -150000s >= -30000s

Source: C:\Users\user\Desktop\sample4.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00125BE6 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00116FA9 GetEnvironmentVariableW,GetSystemInfo,FindFirstChangeNotificationW,GetEnvironmentVariableW,

Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.378751405.0000000004C30000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.400669986.0000000002C90000.00000002.00000001.sdmp, WerFault.exe, 00000019.00000002.423433375.0000000004FA0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.447854535.0000000005A10000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.469042458.0000000005470000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\sample4.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\sample4.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\sample4.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 rdtsc

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_001183DE OutputDebugStringA,GetLastError,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1ECF wsprintfW,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0025D81F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_00259EEC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028FB73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0028F73F push dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013004FD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_013000C9 push dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D121E GetCommandLineA,StrStrIA,StrToIntA,GetTempPathA,wsprintfA,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_0024F646 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\sample4.exe	Code function: 0_2_002498CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sample4.exe, 00000000.00000002.572528127.0000000001CB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D18E0 cpuid

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_000D1DD9 wsprintfW,GetComputerNameExA,GetUserNameA,wsprintfW,wsprintfW,wsprintfW,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_0025BCE8 GetTimeZoneInformation,

Source: C:\Users\user\Desktop\sample4.exe

Code function: 0_2_00131386 RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,RegisterClipboardFormatW,SendMessageW,__EH_prolog3_GS,GetVersionExW,_wcschr,

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match

File source: Process Memory Space: sample4.exe PID: 2100, type: MEMORY

Yara detected IcedID

Show sources

Source: Yara match	File source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.sample4.exe.d0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	Path Interception	Process Injection2	Virtualization/Sandbox Evasion2	Input Capture11	System Time Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery151	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery113	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sample4.exe	77%	Virustotal		Browse
sample4.exe	3%	Metadefender		Browse
sample4.exe	79%	ReversingLabs	Win32.Worm.Cridex
sample4.exe	100%	Avira	TR/IcedId.ltfzr

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.sample4.exe.d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
gegemony4you.top	6%	Virustotal		Browse
www.intel.ch	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://static.ads-twitter.com	0%	URL Reputation	safe
https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png	0%	Avira URL Cloud	safe
https://cdn.cms-twdigitalassets.com	0%	Virustotal		Browse
https://cdn.cms-twdigitalassets.com	0%	Avira URL Cloud	safe
https://cdn.goglobalwithtwitter.com	0%	Avira URL Cloud	safe
https://feedback.digital-cloud-prem.medallia.com;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s.twitter.com	104.244.42.131	true	false		high
support.oracle.com	unknown	unknown	false		high
www.oracle.com	unknown	unknown	false		high
g.msn.com	unknown	unknown	false		high
help.twitter.com	unknown	unknown	false		high
www.intel.com	unknown	unknown	false		high
gegemony4you.top	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.intel.ch	unknown	unknown	false	0%, Virustotal, Browse	unknown
corpredirect.intel.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.live.com/owa/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#search-and-trends	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account/notifications-on-mobile-devices	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fr	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/safety.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://developer.twitter.com/en/docs	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#login-and-password	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fil	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/nl	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fa	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://twitter.com/AppleSupport	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://twitter.com/applesupport	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://resources.digital-cloud-prem.medallia.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://help.twitter.com/fi	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://templates.office.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://twitter.com/i/csp_report;	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/advertising.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/no	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://static.ads-twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://help.twitter.com/en/rules-and-policies/twitter-rules	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cdn.cms-twdigitalassets.com/content/dam/help-twitter/logos/card_wide_blue.png	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://help.twitter.com/gu	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://api.twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#adding-content-to-your-tweet	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/en_us/topics/company/2020/covid-19.html	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://twitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://www.twitterflightschool.com/sl/382652bc	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules-and-policies#law-enforcement-guildelines	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?response_mode=form_post	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://support.xbox.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/mentions-and-replies	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://cdn.cms-twdigitalassets.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.wikidata.org/wiki/Q65129345	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/a-safer-twitter	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://transparency.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/help.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/twitter-guide	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cdn.goglobalwithtwitter.com	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schema.org/VideoObject	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/tweeting-gifs-and-pictures	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/how-you-can-control-your-privacy	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/advanced-twitter-mute-options	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://careers.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://support.xbox.com	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hu	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://blog.twitter.com/developer/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayAddEditPaymentPage/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hr	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/wishlists?Wt.mc_id=wishlist_landingpage	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountR	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.skype.com/en/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#verified-accounts	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://media.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayAccountO	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/he	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://data.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://developer.twitter.com/en/community	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/pl	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://schema.org	sample4.exe, 00000000.00000003.545079805.0000000003C0D000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/managing-your-account#notifications	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://status.twitterstat.us/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/pt	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/hi	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://www.onenote.com/	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/rules-and-policies#twitter-rules	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/it	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/glossary	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ja	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://cards-dev.twitter.com/validator	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
http://ogp.me/ns#	sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ar	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company/twitter-for-good.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://privacy.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter#tweets	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://marketing.twitter.com/en/insights	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://about.twitter.com/en_us/company/brand-resources.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/id	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
http://schema.org/Organization	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://twitter.com/login?redirect_after_login=https://help.twitter.com/en	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://business.twitter.com/en/resources.html	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/contact-us	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://video.twimg.com/tweet_video/EAa_YvRU4AAH-IN.mp4	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://business.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/safety-and-security/how-to-make-twitter-private-and-public	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/bn	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://feedback.digital-cloud-prem.medallia.com;	sample4.exe, 00000000.00000003.533332045.0000000001539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://twitter.com/privacy	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/sk	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp, sample4.exe, 00000000.00000003.532297635.000000000153E000.00000004.00000001.sdmp	false		high
https://templates.office.com/collection-family-activities	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://www.microsoftstore.com/store/msusa/en_US/DisplayFindYourOrderPage/nextAction.DisplayDownload	sample4.exe, 00000000.00000003.519277199.000000000152B000.00000004.00000001.sdmp	false		high
https://marketing.twitter.com/en/success-stories	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://twitter.com/logout	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high
https://help.twitter.com/en/using-twitter/direct-messages	sample4.exe, 00000000.00000003.532203579.0000000003C01000.00000004.00000001.sdmp	false		high
https://help.twitter.com/ro	sample4.exe, 00000000.00000003.532275265.0000000001546000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.244.42.131	unknown	United States		13414	TWITTERUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339451
Start date:	14.01.2021
Start time:	04:01:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sample4.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/20@8/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.5%) Quality average: 78.6% Quality standard deviation: 26.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, RuntimeBroker.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 2.20.84.85, 20.190.129.19, 40.126.1.142, 20.190.129.2, 40.126.1.130, 40.126.1.145, 20.190.129.128, 20.190.129.160, 20.190.129.130, 51.11.168.160, 93.184.221.240, 92.122.213.194, 92.122.213.247, 20.54.26.129, 104.43.139.144, 51.104.139.180, 52.142.114.176, 40.88.32.150, 104.83.125.175, 104.83.83.83, 2.20.84.4, 2.21.61.56, 2.20.84.208, 2.17.181.200, 52.155.217.156 Excluded domains from analysis (whitelisted): intel11.edgekey.net, arc.msn.com.nsatc.net, intel11.cn.edgekey.net, support-china.apple-support.akadns.net, fs-wildcard.microsoft.com.edgekey.net, ev.support.microsoft.com.edgekey.net, skypedataprdcoleus15.cloudapp.net, prod-support.apple-support.akadns.net, support.oracle.com.edgekey.net, e3843.g.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, fs.microsoft.com, e2581.dscx.akamaiedge.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, www.tm.a.prd.aadg.akadns.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, e2063.e9.akamaiedge.net, e11.dsca.akamaiedge.net, blobcollector.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, intel19233.edgekey.net, e19233.dsca.akamaiedge.net, support.microsoft.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, intel11.cn.edgekey.net.globalredir.akadns.net, support.apple.com, support.apple.com.edgekey.net, cs11.wpc.v0cdn.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, e870.x.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ds-www.oracle.com.edgekey.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:04:49	API Interceptor	9x Sleep call for process: sample4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.244.42.131	https://cypressbayhockey.com/NO	Get hash	malicious	Browse
	details.html	Get hash	malicious	Browse
	details.html	Get hash	malicious	Browse
	https://numisconsult.com/blog/e47c4b8720db7445599988579a03c7c5	Get hash	malicious	Browse
	https://sosefinawinnifredsullivan8-5ce0e.gr8.com/	Get hash	malicious	Browse
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse
	https://www.evernote.com/shard/s395/sh/e6cd3f32-356e-2b0f-29eb-532205cb0cdd/b301c5a7d8494fe2a6f2588862012fb5	Get hash	malicious	Browse
	https://doc.clickup.com/p/h/853bx-28/ee9d693560ec8e5	Get hash	malicious	Browse
	https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45	Get hash	malicious	Browse
	https://cts.indeed.com/v0?tk=1df9t5skc2g3980p&r=%68%74%74%70%73%3a%2f%2f%61%6e%61%6c%79%74%69%63%73%2e%74%77%69%74%74%65%72%2e%63%6f%6d%2f%64%61%61%2f%30%2f%64%61%61%5f%6f%70%74%6f%75%74%5f%61%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%5f%69%64%3d%33%26%70%61%72%74%69%63%69%70%61%6e%74%5f%69%64%3d%37%31%36%26%72%64%3d%68%74%74%70%73%3a%2f%2f%66%72%61%31%2e%64%69%67%69%74%61%6c%6f%63%65%61%6e%73%70%61%63%65%73%2e%63%6f%6d%2f%73%32%32%2f%69%6e%64%65%78%2e%68%74%6d%6c%3f#matthias.kirsch@iti.org	Get hash	malicious	Browse
	WSGaRIW.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Mikey.116711.25037.dll	Get hash	malicious	Browse
	https://call.lifesizecloud.com/4478671	Get hash	malicious	Browse
	VSMecyU.dll	Get hash	malicious	Browse
	https://recovermy3-account.com/	Get hash	malicious	Browse
	https://recovermy3-account.com/	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse
	iuyala11.dll	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse
	temp.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
s.twitter.com	http://search.hwatchtvnow.co	Get hash	malicious	Browse	104.244.42.131
	http://search.hshipmenttracker.co	Get hash	malicious	Browse	104.244.42.67
	https://t.yesware.com/tt/ae9851ab7b578dad1289f08bbf450624f7ae3a45/2ee42987f58d2f32bb36ff11a00dd921/2f4e7e35c28c3b7f4958904f5584a915/joom.ag/2VFC	Get hash	malicious	Browse	104.244.42.195
	https://joom.ag/3wFC	Get hash	malicious	Browse	104.244.42.3

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TWITTERUS	http://message.mydopweb.com	Get hash	malicious	Browse	104.244.42.193
	http://www.secured-mailsharepoint.online/	Get hash	malicious	Browse	104.244.42.130
	https://www.ensonoelevate2021.com/event/8e8c2672-3b18-40b1-8efc-026ab72e6424/summary?environment=P2&5S%2CM3%2C8e8c2672-3b18-40b1-8efc-026ab72e6424=	Get hash	malicious	Browse	104.244.42.5
	https://cypressbayhockey.com/NO	Get hash	malicious	Browse	104.244.42.197
	details.html	Get hash	malicious	Browse	104.244.42.5
	details.html	Get hash	malicious	Browse	104.244.42.5
	https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/?utm_source=redcanary&utm_medium=email&utm_campaign=Blog%20Digest-2020-11-05T09:00:54.888-07:00&mkt_tok=eyJpIjoiWmpKbVlUTXpPRGMzTTJRMSIsInQiOiJtMm9iYWJESHd5VldFUTF2a05zeEdtVUdMNms3cHVcL01OcW9hYUlwOElYZFwvNkdvd0UzV0x2SDdNZVlIMWFTSG1jS28zM0JIamh3YXRvcmU0K2htaTJpTlFLbjNNaWswT2NxYlhXdElEZHVzMlFaclpoTUFzZk1ibTV0SGVwSCs2In0%3D	Get hash	malicious	Browse	104.244.42.133
	https://patrickphimr5.github.io/memoaideivozx/dsfriet.html?bbre=dxcfdgoiss	Get hash	malicious	Browse	104.244.42.65
	https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9	Get hash	malicious	Browse	104.244.42.3
	http://aypf.z2systems.com	Get hash	malicious	Browse	104.244.42.193
	https://create.piktochart.com/output/51658503-cfo-capabel	Get hash	malicious	Browse	104.244.42.2
	https://protect-us.mimecast.com/s/JFIWCVON1NCzq3ggtGInaq	Get hash	malicious	Browse	104.244.42.67
	http://g1security.co.tz	Get hash	malicious	Browse	104.244.42.129
	https://numisconsult.com/blog/e47c4b8720db7445599988579a03c7c5	Get hash	malicious	Browse	104.244.42.131
	http://search.hshipmenttracker.co	Get hash	malicious	Browse	104.244.42.197
	https://sosefinawinnifredsullivan8-5ce0e.gr8.com/	Get hash	malicious	Browse	104.244.42.131
	https://t.co/2QNQz4sNnh?amp=1	Get hash	malicious	Browse	104.244.42.69
	https://omsd-org.gq/?login=do&c=E,1,MTY2COfqGo5C-H4KALYqrUyXXPpd2evSCW3stb24PsdKe8xYdoYVhcjchdnzpUCr95AnX7X4QDVSQFpJtN_EpMZ8u2smwVQNUpYGz7Etn-l-NVb_st2_649iVg,,&typo=1	Get hash	malicious	Browse	104.244.42.197
	http://www.cqdx.ru	Get hash	malicious	Browse	104.244.42.193
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse	104.244.42.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	WFLPGBTMZH.dll	Get hash	malicious	Browse	104.244.42.131
	Customer_Receivables_Aging_20210112_2663535345242424242.exe	Get hash	malicious	Browse	104.244.42.131
	Listings.exe	Get hash	malicious	Browse	104.244.42.131
	Transferencia,pdf.exe	Get hash	malicious	Browse	104.244.42.131
	Dhl Client Invoice.exe	Get hash	malicious	Browse	104.244.42.131
	64D5aP6jQz.exe	Get hash	malicious	Browse	104.244.42.131
	mscthef-Fichero-ES.msi	Get hash	malicious	Browse	104.244.42.131
	New inquiry CON 20-10630.exe	Get hash	malicious	Browse	104.244.42.131
	RLFGB8pdA6.exe	Get hash	malicious	Browse	104.244.42.131
	ORDER#9403.exe	Get hash	malicious	Browse	104.244.42.131
	CLIDSXX.exe	Get hash	malicious	Browse	104.244.42.131
	SecuriteInfo.com.Variant.Graftor.893032.186.exe	Get hash	malicious	Browse	104.244.42.131
	ptrb-ES-2999223.msi	Get hash	malicious	Browse	104.244.42.131
	T9tAui44l4.exe	Get hash	malicious	Browse	104.244.42.131
	E8Jkw96qFU.exe	Get hash	malicious	Browse	104.244.42.131
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	104.244.42.131
	y46XVvLaVc.exe	Get hash	malicious	Browse	104.244.42.131
	Softerra Adaxes 2011.3.exe	Get hash	malicious	Browse	104.244.42.131
	r0u.exe	Get hash	malicious	Browse	104.244.42.131
	r0u.exe	Get hash	malicious	Browse	104.244.42.131

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_023208c1\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12180
Entropy (8bit):	3.7757129548768527
Encrypted:	false
SSDEEP:	96:4nnLHJPBHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNq9:gDJP/H56rQjzEfKXR/u7sxS274Itxpq
MD5:	F33A74C78B60DE4948ABD5FCA62C8C1D
SHA1:	6DAAA0FBCDF61CA7594A921A457A0CB428B16CD0
SHA-256:	7514782350B6350389B11D177F2F9CB6CABB95F4AEC9E8377EA9248A1722710B
SHA-512:	25E287B740FC747C4646DBC5CF1E80EE6384608864AD305711DAC723D099BCF78A4F2ADD7D4AEB6B1D99D01E3EA215275D2D75922885F171A827180B2F3E5258
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.6.1.3.3.4.6.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.5.0.1.7.1.e.-.c.7.a.3.-.4.6.b.a.-.b.c.8.5.-.2.2.a.8.f.7.6.b.b.f.2.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.1.7.c.2.6.2.-.0.1.5.3.-.4.5.2.c.-.b.7.6.6.-.5.8.7.5.9.a.0.7.8.d.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_058db978\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12080
Entropy (8bit):	3.7723760710787007
Encrypted:	false
SSDEEP:	96:YOIarJPFHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqy:6EJPbH56rQjzEfKXR/u7sWS274Itxp6
MD5:	8549CFB0ABB89E6BA07A896B3BAEB4FF
SHA1:	47BE65FFBEFFAB2884B681F321D4E329A339F28F
SHA-256:	36614A01566DE26BCAEC36177422C484B9ED2A5FAA8061A7D528680323D0346C
SHA-512:	B7B09418ACBE27182027B3FBAE153444AF2CB6FC5F39002D59546B583A4948A660FDC9F75D1802429071539830D0E4794E0473B06BD910DBAC300E72C67124A5
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.4.2.2.4.0.9.1.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.c.a.1.6.6.0.-.2.6.1.0.-.4.1.e.8.-.b.8.4.2.-.5.0.d.3.e.2.3.6.3.a.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.d.0.d.3.9.4.-.c.d.b.f.-.4.d.a.6.-.b.2.d.9.-.0.e.5.c.4.d.d.5.2.e.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_13ce361a\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12384
Entropy (8bit):	3.775237108429829
Encrypted:	false
SSDEEP:	96:g9HQJPrHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqEY:PJP1H56rQjzEfKX0/u7sxS274Itxpv
MD5:	A83850FBB51EE9A273A439B5D0CEE57E
SHA1:	379A2AA130BF3AA164B9FF6C1E09508E4C21D122
SHA-256:	A66236E86CF2B98ABAC970EF37589CB14E684DF8AAF6928EF58D4C563EBB4F7E
SHA-512:	DA8583D262A7139EC32D20E9CDBAE2FC5F0A948F4889CCA9467286B5F5AABBF2E801D823767A3EF7F146AA4C62947842030DD25533F898DEFA163A1555E192E7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.7.4.1.4.7.0.9.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.5.b.1.3.a.7.-.1.0.3.c.-.4.c.5.a.-.b.b.3.5.-.8.e.e.d.6.5.6.7.8.1.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.b.e.6.5.1.e.-.8.5.e.0.-.4.6.1.5.-.9.f.4.6.-.c.f.9.8.4.8.6.2.c.5.8.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_16da5cdc\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13300
Entropy (8bit):	3.7692678717959778
Encrypted:	false
SSDEEP:	96:1q5DJPmHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqEg:iJPAH56rQjzEfKX1r/u7sxS274Itxpo
MD5:	39D1F56E6FF74B3E803A3DB436DC0567
SHA1:	D353F7D0519C76D8CA38ADA8DF241FC8186AF0F8
SHA-256:	ED3D8B5ED2B208991F4041604523D134C2939875FEB9DD22DA31FC5956FECF3C
SHA-512:	C7395B8FA4F20D0EA4BB8A686AE625BE3352EC6A42AF74A0DBD9AA0E475D2009B5CEE2AE9D725C989D4C16B58390C02F4AC4FD11D39972A2CB683A6F0B516226
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.8.2.6.1.5.8.5.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.6.8.4.b.1.f.-.b.5.a.a.-.4.0.5.d.-.a.c.b.b.-.8.a.d.9.c.6.c.4.f.1.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.c.4.b.4.d.0.-.2.5.0.d.-.4.4.b.5.-.a.8.4.3.-.0.e.5.9.1.7.e.2.2.0.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sample4.exe_45365feab801c9585ad9627648598a0b3f59_b2de38ec_177de25c\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12082
Entropy (8bit):	3.773622159663461
Encrypted:	false
SSDEEP:	96:SzwJPCHQToA7Rb6tpXIQcQnc6rCcEhcw3r7+HbHg/PtuuzOOFLMbsWoxMfpNqE6T:uwJPEH56rQjzEfKXR/u7sWS274ItxpX
MD5:	F9DE8B024B8D805B8F53277DADEC61E5
SHA1:	EC6E575FD9A307A7263744CCE43F6050E08FFC83
SHA-256:	8F9EF602CEB6BBA4CDA441F993EFA97E087D84DADFB4D4D183E7FD0EC7B36E03
SHA-512:	05322EF2B9BFB4BC0F26FC17E255EEC6968D2AC59114E3AC08D63C7F8B516A7C7FCB32276F98136AB81B1ECF963FBA0EB97511802471E5235A6FAB03D8C7B80B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.5.0.9.9.4.5.0.3.5.0.2.7.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.7.7.e.e.3.6.-.e.0.4.0.-.4.5.a.f.-.b.0.c.f.-.4.2.f.5.3.c.d.1.3.3.1.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.0.4.a.b.e.3.-.2.f.2.f.-.4.9.a.d.-.9.f.c.7.-.f.1.1.1.3.f.f.f.c.4.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.a.m.p.l.e.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.r.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.4.-.0.0.0.1.-.0.0.1.7.-.c.7.f.b.-.d.e.2.b.6.d.e.a.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.8.a.f.e.e.8.1.a.7.5.1.5.4.c.b.b.d.8.a.0.f.f.7.c.2.f.6.3.6.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.f.6.0.7.3.6.7.a.8.8.b.5.6.1.0.a.2.2.4.9.0.9.e.f.b.8.d.e.b.e.b.0.d.9.0.f.4.8.7.!.s.a.m.p.l.e.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.0.4././.0.7.:.1.0.:.4.4.:.1.6.!.0.!.s.a.m.p.l.e.4...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.6980603355241612
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioq6I8J/6YSaSUGRPgmfGuSrCpBT89bGnqsfDxim:RrlsNit6I8R6YfSUGRPgmfGuSVGnJfp
MD5:	C5C4C37BAB140B7F7183F1EA1184CD0A
SHA1:	7E389311A6D7518BA8CE1D6FD27809934EA42140
SHA-256:	67AEC99C834D15887E74691AB6993FB14CBADD5A0482E332D3AA2B8FC331F759
SHA-512:	E2E7406119D4E6E7BDB497DC60BA97DA8F19BB1A85CD704EB7437788E98BD5F06C62FB06924387C1E74C32D9016263D10E87DDFCDDE16B1728B6CF2401D9D9DF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER286E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	88980
Entropy (8bit):	2.000024614163454
Encrypted:	false
SSDEEP:	384:g7RA21BGylxzoEalrrZwyJPsVN1eIs6pkf7D13xqhaK7AT:glA2rGyXoEalrzPsP1eL9N40lT
MD5:	8CBBD4DF28ED24D275A5B99871F0AEE4
SHA1:	AC7743902178B19F482DF54F4D191E7EA41F41D5
SHA-256:	98E94389C6B85400A3F28EE1252AFEF8B3864112FF1B729541518A55D9D07601
SHA-512:	15935D5F2E9B3D88D74509ECEB017A12488C4ED823A8A010F0C0E801511340D02D9D86605DA13226C1342685C447BBE083BC348C10C5C3686BC210DFF5AF8E58
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......S3.`...................U...........B....... ......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER306E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.6977100771396483
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioP6IL76YSVSUr6gmfGuSrCpB889bFnqsfx3m:RrlsNiA6IL76YASUr6gmfGuSoFnJfM
MD5:	7BD3D3799E7832DB6E8F790D218F6198
SHA1:	DA33CD235E2F88038F7299C0D9A486547489823E
SHA-256:	E9740B916909FDF73EB25F1E70223088E17E80E6771BA1E586644542677406CB
SHA-512:	1B3C4D5DAE7287EF8A5E974D7FDE9D2CFAC70822F8E6A1CE1D80BF5E1E5288182EA325EA4C4716A8C52BD00198FE181D756CE4B86CB70E03C12E007913F77DD8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER32EF.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.464512402648456
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8Bd8fm8M4Jv6MFfAv+q8vc6ILJsGX7vXw3d:uITfigiSN8JSRvKPILJsGX7vXgd
MD5:	E826EDFB38864830ABE3759CDA64D964
SHA1:	E873E42E77CA0B011BF44A2616A814A94D78DD7D
SHA-256:	133CE84E255AE1177A340F2B6DCFEEEA66034B0DDAC5A6F12C9E968B4640EBBE
SHA-512:	9E95458200E71C52FEA724DD4A63A1FC5E17F556915044A22D833EACA03BC98BF4121F74F9BC3E0D6EF56D4512D0AEF7C629F0AD16682AAE75501F59AC890AD5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4983.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:45 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	99634
Entropy (8bit):	1.9828576437490704
Encrypted:	false
SSDEEP:	384:DC3W2Ak9bpkazfErHylxzhIkv8lW0U3DSfeDZg1zH1IdYkyNXN9o+s0FHDP:DC3zAksasyXKkv8l96stjP
MD5:	B8D1A8E6D6C7382D9ED80DCE25C42A2F
SHA1:	D3872274171A35FE546DAE4A9ED22ACD9CFA59C2
SHA-256:	84214734DFEF4106844A48D535B124FE377C0D2F61C26DDE221FD9204DFF9EBA
SHA-512:	1515168F4EEF03BF1D87C022D90D54A2AB18A823E4E140CF1F51F9F1275DB7691D7DA5A6F4988F1390E1768554DDFDE6F167C9C5CC460375508C532A3ADE1E51
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......]3.`...................U...........B.......$......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DB.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.463092547999117
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8BM8fm8M4Jv6MF1+q8vc6ILJsGX7vXw3d:uITfigiSNrJSoKPILJsGX7vXgd
MD5:	E26E9D255F88D992E78511EDEA3FADF9
SHA1:	945EC689B90356703A4E19ECEBD57CA20262D43B
SHA-256:	CAE1AAC0E291E4AF14844FD194E2799CD81C7FFB27F3EB1050E1027519B60483
SHA-512:	22ED4E71392445AB7C3B9BEC66AA07A918270921199814676E984D9E96A79B7450D26B4894F4C1F8F5D3FC65D77E28C27524ACB82191BDCA20B514F0CD9E0247
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.6978315130490094
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioR6oW6YSpSU/RUgmfGuSrCpB689bSnqsfXGm:RrlsNiO6Z6YcSU/RUgmfGuSySnJff
MD5:	DB68D6E459836A75F1E0AF2DC6BAA85A
SHA1:	2CE8D49935A1B4FDCC481D03799836985BFCC0D9
SHA-256:	3CB838BDC9B4E336895C5973F459D35E405FEF9677F8D82200E5A92A3A68527E
SHA-512:	40F4D08F3E5531C2F636A079739673811A8E5020B5F9E73BF1222C9CCBB0DCF88B03E3BD2BF3F44E47D5D1631D10A20BE99F8CCCA64F0928CB25D1C92619E4D8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER585A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.461932434666514
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI97TWSC8Bis8fm8M4Jv6MF5O+q8vc6ILJsGX7vXw3d:uITfigiSN8JSVKPILJsGX7vXgd
MD5:	A46FB23426B471BA03A31FDE8720D575
SHA1:	CED3DAA8CC74407B7A14EC4D6EF6C1BC349E9EB9
SHA-256:	7C28650FC1F5DEC46F21CB7B42172FBB7861CF305A9F46FF2E91CEB20F2D13BD
SHA-512:	42F8F054A5A32C667D48CABA88115A6C606F988B4910B8D9F9A5BF62996F13E3BE725A108FBE6982066577800FE559D185BC1FD2A4206B347698EA28ADF0539A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERABCC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:04 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	60446
Entropy (8bit):	1.9975649594048102
Encrypted:	false
SSDEEP:	192:E2XIa05AgbT3ylxzcBYxZrrab1v2cDuK8Sbq8tHYzTBljqcKyF9:1Ia05AozylxzOY3rWhph8qXEBIA
MD5:	3EDA680C46EC45A8E65D4DB4AC767333
SHA1:	CFF6ECFF168973FFD267A1649458A2F88B9B318B
SHA-256:	1D4A384AC3803A0FB281104685A46862C6E74409B70F261C7854878FC0143EEF
SHA-512:	0D96C97B790B83ABC1D5D1F7CF53DBFCDC41BE82CA8C713493B9593DB3C2E04800615E94E2C7F28E605E40C0DC0A33741C50CACFDF8FA32013629C07C8112A23
Malicious:	false
Preview:	MDMP....... .......43.`...................U...........B..............GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3DB.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6958613853599918
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioB6Iyi6YSKSU1ygmfGuSrCpB089bknqsfPjMm:RrlsNim6Iyi6YPSU1ygmfGuSgknJf1
MD5:	BC396DA9A4C55BE808F8957D45A75BDA
SHA1:	B82FC5184F1FD8A6CCE6CE4D30801360CBE22ABF
SHA-256:	4C4A11CB625991638B1C94AC99108B026D5E52D225C36346E5036387BAD450B7
SHA-512:	DEBD0015E401E880E7867A27C8E87AF98C7AD4481F9C241891AD382E1EABD7632B750D84172DBB0F47BF4A768568F57B6EDA1D89CCF983B463620B67165DD1E4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB592.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.4599661127230705
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI97TWSC8BE8fm8M4Jv6MFw+q8vc6ILJsGX7vXw3d:uITflgiSNzJSFKPILJsGX7vXgd
MD5:	567A6E034EA0B483BEB8BB0082030E96
SHA1:	F5E2FEE7B5D5899E3F4AB1DAF398EDE53A4F9C5F
SHA-256:	BF95A9735FD0ADDB4B23F80125BB7BEF1CC56E24C46367B091E4595DC9876EB4
SHA-512:	DD4C4B57EB09F498A818D5A683059A0EB5091C4CE847FF058BFDCE73A06AC69E50B5B2BD046E0CA6882F6B5D659248AC92F716F969331B17CA78DB03FB0BEB5E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB79.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:12 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	87540
Entropy (8bit):	2.19600592359827
Encrypted:	false
SSDEEP:	384:ttutAzBwX8tErhMA1RUxbYc23OXylxzQzRCRnchtChjbcxIEDwnmI:HMAzBw4AeA3Ux323OXyXQzRCdKtiiDwX
MD5:	8C583E227B6B85DEEBE5B786648E2137
SHA1:	B580344D35DF3DF61CCCA1E4F2DCADFAC515BBCD
SHA-256:	91CB49C253F1E762A49AC001DD9B06F93D474F716BF3B7306E5C3DFAC37D9058
SHA-512:	6468FA16A4DFB3BA9B6E471A8BEFE155B99F2B7C965C1587CB69EA89774ACE7FA0F31D7E7084DBEDD03491DBDE316ABF1FC05BDA28250E967D5302A2532BF6D3
Malicious:	false
Preview:	MDMP....... .......<3.`...................U...........B......T.......GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD677.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8400
Entropy (8bit):	3.695637388269918
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioa6I296YSBSUGRfgmfGuSrCpBR89bVnqsfKHm:RrlsNid6I296Y0SUGRfgmfGuSfVnJfT
MD5:	C2E720B1A4E9CF17AF4E8ECEF455A2B7
SHA1:	750A0AA48D0E162F4D44B2CB3A4F65EB22C2B5CC
SHA-256:	39EF919FCEFCB20D2B89B7A4F398289638EBF94FC6BAFE003414EFD417A21A2F
SHA-512:	5EB1E91504FF55F7E4A3B61405C7A2FEAF15DCCBC44F7020B6A561B946784AF7ED0FBB7DCFB9FBC73207EB059725756A8773A0697C9A176A944C110E47254F93
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE76.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4753
Entropy (8bit):	4.4636931605483605
Encrypted:	false
SSDEEP:	48:cvIwSD8zsLJgtWI97TWSC8BS8fm8M4Jv6MFx+q8vc6ILJsGX7vXw3d:uITflgiSNRJSQKPILJsGX7vXgd
MD5:	8AB32FB89B7F98E921F5C34E2619C25B
SHA1:	759DA4A133E32560168AD5B71B57E82649A0BE9E
SHA-256:	B3E728D937C7FB31FE21BD337B07E0DB1880075618DAB584ECC3CD84CDD3DBCA
SHA-512:	BDA5D9F30B1ED21085ED93D89D9FF8BCF3BA9CC1FC858F43BB05CD8C5459A1623E2C1FDCE076F0AAA3904BDC8BD119FE2C546F479AB40F60CCF0B05A9984D086
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="816314" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF661.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 14 12:04:23 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	89920
Entropy (8bit):	1.9805037912276446
Encrypted:	false
SSDEEP:	384:ovZ6vbhAPkBGylxzXx3rrqw5ym1rPgY62EcOoEj0Gd2ol:P1APMGyXXNrYm1roYMoEIAl
MD5:	90409243EFAE234551EA1C01248C41D0
SHA1:	1AB4AC8A436E2CCE4D708C306504252552CB8092
SHA-256:	83AF683C5FD7E02271F18EF1280ECA5DDB688C5ACCB30AED591A17DE101B7550
SHA-512:	5B9C743BCBBD8742AAE5FC755475E03579AB649FCC37B47AFAA22A1A6F2E0999747518516ACCAE48B69343345AF089BB1F9D404503864AC989C11A92B445D701
Malicious:	false
Preview:	MDMP....... .......G3.`...................U...........B..............GenuineIntelW...........T.......4....2.`:............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.548995136814184
TrID:	Win32 Executable (generic) a (10002005/4) 98.68% Windows ActiveX control (116523/4) 1.15% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	sample4.exe
File size:	2136576
MD5:	5009b8bcf024704c8b23e42c492f118c
SHA1:	df607367a88b5610a224909efb8debeb0d90f487
SHA256:	30f099660904079afcd445409cfd2eca735fab49dda522f03ed60d47f9f21bdc
SHA512:	70c4d7c6b9124246def27e28b69f2eb30bac85a5c0e8b38cf593222bec02c561143ebf0995946d1c30ef5441a6152cf587ef2d70651482374017a321df1c8e3b
SSDEEP:	49152:o8X7Gl0vopNbyrbGhp475YHHmfjlzukdQ+ILi2k4TmRB:Z4Gopkrbk4UHmfhzukfILi2k4Tm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,0Y..................................... ................................"......v!...@................................

File Icon


Icon Hash:	71c4b2f0e8d4c4c6

Static PE Info

General
Entrypoint:	0x11796e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59302CB5 [Thu Jun 1 15:03:17 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7da84c744589b5da0e6e3eb22df0b736

Entrypoint Preview

Instruction
call 00007FDD8C93D2C9h
jmp 00007FDD8C93C753h
jmp dword ptr [011D49B8h]
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FDD8C93C08Ah
jmp 00007FDD8C93C8A0h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 00007FDD8C93C079h
jmp 00007FDD8C93C88Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [011B2F64h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [011B2F64h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d49bc	0x168	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f4000	0x17c2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20c000	0x1d2c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x38f60	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x38fb4	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b670	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d4000	0x9b8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b02f4	0x1b0400	False	0.510258707165	data	6.51268656796	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b2000	0x21d98	0x5c00	False	0.319166100543	data	5.12748414797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x1d4000	0x3f8e	0x4000	False	0.398986816406	data	5.55581211033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x1d8000	0x19e58	0x1a000	False	0.296001727764	data	4.22633465795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x1f2000	0x10	0x200	False	0.05078125	data	0.155177575305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x1f3000	0x9	0x200	False	0.033203125	data	0.0203931352361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1f4000	0x17c2c	0x17e00	False	0.248680873691	data	4.95227644363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x20c000	0x1d2c0	0x1d400	False	0.432366786859	data	6.49808502841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1f4370	0x94a8	data	English	United States
RT_ICON	0x1fd818	0x5488	data	English	United States
RT_ICON	0x202ca0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294905600	English	United States
RT_ICON	0x206ec8	0x25a8	data	English	United States
RT_ICON	0x209470	0x10a8	data	English	United States
RT_ICON	0x20a518	0x988	data	English	United States
RT_ICON	0x20aea0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x20b308	0xb0	data	English	United States
RT_DIALOG	0x20b3b8	0xb8	data	English	United States
RT_STRING	0x20b470	0x82	data	English	United States
RT_STRING	0x20b4f4	0x1ba	data	English	United States
RT_STRING	0x20b6b0	0x54	data	English	United States
RT_GROUP_ICON	0x20b704	0x68	data	English	United States
RT_VERSION	0x20b76c	0x364	data	English	United States
RT_MANIFEST	0x20bad0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
GDI32.dll	GetViewportOrgEx, GetWindowOrgEx, SetPixelV, SetPaletteEntries, ExtFloodFill, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, GetTextFaceW, ScaleWindowExtEx, CreateCompatibleDC, CreateFontW, GetPixel, CreateRectRgn, SelectClipRgn, RoundRect, OffsetRgn, GetRgnBox, Rectangle, LPtoDP, CreateRoundRectRgn, Polyline, Polygon, CreatePolygonRgn, GetTextColor, Ellipse, CreateEllipticRgn, SetDIBColorTable, CreateDIBSection, StretchBlt, SetPixel, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, CreateCompatibleBitmap, GetBkColor, RealizePalette, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, EnumFontFamiliesExW, GetTextMetricsW, DPtoLP, SetRectRgn, PatBlt, CreateRectRgnIndirect, CombineRgn, GetTextExtentPoint32W, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, CopyMetaFileW, CreateDCW, GetDeviceCaps, CreateBitmap, SetBkColor, SetTextColor, GetObjectW, DeleteObject, BitBlt, CreateHatchBrush, CreatePen, CreatePatternBrush, CreateSolidBrush, DeleteDC, Escape, ExcludeClipRect, GetClipBox, GetObjectType, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextAlign, MoveToEx, TextOutW, ExtTextOutW, CreateFontIndirectW
KERNEL32.dll	FreeEnvironmentStringsW, GetConsoleMode, GetConsoleCP, HeapCreate, LCMapStringW, GetTimeZoneInformation, VirtualProtect, HeapFree, GetDiskFreeSpaceW, GetModuleFileNameW, InitializeCriticalSectionAndSpinCount, GetEnvironmentVariableW, CreateFileW, GetCurrentThreadId, HeapValidate, FindFirstChangeNotificationW, HeapSize, Sleep, GetLastError, HeapReAlloc, GetStdHandle, ExitProcess, GetFileType, SetStdHandle, QueryPerformanceFrequency, WriteConsoleW, GetStringTypeW, VirtualAlloc, GetCommandLineW, GetCommandLineA, HeapQueryInformation, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, SetEnvironmentVariableW, RaiseException, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetFileTime, FreeLibrary, GetProcessHeap, GetCurrentProcessId, DeleteCriticalSection, GetTimeFormatW, DecodePointer, HeapCompact, GetLocalTime, HeapAlloc, LoadLibraryW, GetSystemInfo, VirtualQuery, GetModuleHandleW, GetProcAddress, LoadLibraryExA, OutputDebugStringA, SetLastError, GetModuleHandleA, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalAlloc, GlobalReAlloc, GlobalLock, GlobalHandle, GlobalUnlock, GlobalFree, LocalAlloc, LocalReAlloc, LocalFree, LoadResource, LockResource, SizeofResource, FindResourceW, WideCharToMultiByte, GlobalSize, MulDiv, FormatMessageW, CopyFileW, MultiByteToWideChar, CloseHandle, SetEvent, WaitForSingleObject, CreateEventW, SetThreadPriority, ResumeThread, lstrcmpA, GlobalGetAtomNameW, FileTimeToSystemTime, EncodePointer, GetSystemDirectoryW, FreeResource, LoadLibraryExW, GlobalDeleteAtom, lstrcmpW, LoadLibraryA, GlobalAddAtomW, GlobalFindAtomW, FindClose, FindFirstFileW, FlushFileBuffers, GetFileSize, GetFullPathNameW, GetVolumeInformationW, LockFile, ReadFile, SetEndOfFile, SetFilePointer, UnlockFile, WriteFile, DuplicateHandle, GetCurrentProcess, lstrcmpiW, CompareStringW, GetUserDefaultUILanguage, GlobalFlags, GetVersionExW, FileTimeToLocalFileTime, GetFileAttributesW, GetFileAttributesExW, GetFileSizeEx, SystemTimeToTzSpecificLocalTime, lstrcpyW, GetCurrentDirectoryW, FindResourceExW, GetWindowsDirectoryW, VerSetConditionMask, VerifyVersionInfoW, GetTempFileNameW, GetTempPathW, GetTickCount, GetProfileIntW, SearchPathW, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, OutputDebugStringW, RtlUnwind, SetFilePointerEx
USER32.dll	UnhookWindowsHookEx, SendMessageW, EnableWindow, IsWindowEnabled, MessageBoxW, GetWindowLongW, GetParent, GetLastActivePopup, GetMenuStringW, GetSubMenu, GetMenuItemID, GetMenuItemCount, InsertMenuW, AppendMenuW, RemoveMenu, GetMessageW, TranslateMessage, DispatchMessageW, PeekMessageW, IsWindowVisible, GetActiveWindow, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExW, CallNextHookEx, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, LoadCursorW, GetWindowTextW, GetWindowTextLengthW, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, LoadBitmapW, RegisterWindowMessageW, GetMessagePos, GetMessageTime, PostMessageW, DefWindowProcW, CallWindowProcW, RegisterClassW, GetClassInfoW, GetClassInfoExW, CreateWindowExW, IsWindow, IsMenu, IsChild, DestroyWindow, SetWindowPos, GetWindowPlacement, SetWindowPlacement, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, IsIconic, GetDlgItem, GetDlgCtrlID, SetFocus, GetCapture, GetMenu, SetMenu, TrackPopupMenu, UpdateWindow, SetActiveWindow, SetForegroundWindow, BeginPaint, EndPaint, RedrawWindow, ScrollWindow, SetScrollPos, GetScrollPos, SetScrollRange, GetScrollRange, ShowScrollBar, SetPropW, GetPropW, RemovePropW, AdjustWindowRectEx, ScreenToClient, MapWindowPoints, CopyRect, EqualRect, PtInRect, SetWindowLongW, GetClassLongW, GetClassNameW, GetTopWindow, GetWindow, LoadIconW, SetScrollInfo, GetScrollInfo, WinHelpW, MonitorFromWindow, GetMonitorInfoW, ShowWindow, MoveWindow, CheckDlgButton, GetWindowThreadProcessId, SetWindowTextW, IsDialogMessageW, DestroyIcon, CharUpperW, ClientToScreen, GetDesktopWindow, RealChildWindowFromPoint, DrawTextW, DrawTextExW, GrayStringW, TabbedTextOutW, GetWindowDC, FillRect, DestroyMenu, GetMenuItemInfoW, InflateRect, SystemParametersInfoW, CopyImage, SendDlgItemMessageA, SetRectEmpty, OffsetRect, PostQuitMessage, EndDialog, GetNextDlgTabItem, GetAsyncKeyState, MapDialogRect, IntersectRect, TrackMouseEvent, InvalidateRect, LoadImageW, ShowOwnedPopups, SetCursor, DeleteMenu, SetTimer, KillTimer, GetNextDlgGroupItem, SetCapture, ReleaseCapture, WindowFromPoint, DrawFocusRect, IsRectEmpty, DrawIconEx, GetIconInfo, MessageBeep, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, GetMenuDefaultItem, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SetLayeredWindowAttributes, EnumDisplayMonitors, SetClassLongW, SetWindowRgn, SetParent, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawStateW, DrawEdge, DrawFrameControl, IsZoomed, GetSystemMenu, BringWindowToTop, SetCursorPos, CopyIcon, FrameRect, DrawIcon, UnionRect, UpdateLayeredWindow, MonitorFromPoint, LoadAcceleratorsW, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, GetComboBoxInfo, PostThreadMessageW, WaitMessage, GetKeyboardLayout, IsCharLowerW, MapVirtualKeyExW, ToUnicodeEx, GetKeyboardState, CreateAcceleratorTableW, DestroyAcceleratorTable, CopyAcceleratorTableW, SetRect, LockWindowUpdate, SetMenuDefaultItem, GetDoubleClickTime, ModifyMenuW, RegisterClipboardFormatW, CharUpperBuffW, IsClipboardFormatAvailable, GetUpdateRect, DrawMenuBar, DefFrameProcW, DefMDIChildProcW, TranslateMDISysAccel, SubtractRect, CreateMenu, GetWindowRgn, DestroyCursor, GetWindowRect, CreatePopupMenu, GetForegroundWindow, DialogBoxIndirectParamW, GetClientRect, GetSysColorBrush, CreateDialogIndirectParamW, GetMenuState
COMCTL32.dll	ImageList_SetOverlayImage, CreateStatusWindowW, CreateToolbarEx, DestroyPropertySheetPage, ImageList_LoadImageW
COMDLG32.dll	GetFileTitleW, GetSaveFileNameW, FindTextW, GetOpenFileNameW
ole32.dll	CoInitializeEx, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleLockRunning, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, DoDragDrop, CreateStreamOnHGlobal, CoCreateInstance, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoRevokeClassObject, OleInitialize, CoUninitialize, OleSetContainedObject, CoInitialize, OleUninitialize
WS2_32.dll	setsockopt, WSACleanup, WSACloseEvent, WSACreateEvent, getprotobynumber, WSAStartup, WSAConnect, socket, WSAAddressToStringW, getservbyname
WININET.dll	InternetCanonicalizeUrlW, InternetOpenUrlW, InternetWriteFile, InternetOpenW, InternetReadFile, InternetCloseHandle, InternetQueryDataAvailable, InternetCrackUrlW, InternetSetFilePointer, HttpQueryInfoW
SHLWAPI.dll	PathCanonicalizeW, PathIsRootW, StrCmpW, StrFormatKBSizeW, PathRemoveFileSpecW, PathFindExtensionW, PathStripToRootW, SHCreateStreamOnFileW, PathIsUNCW, PathFindFileNameW
UxTheme.dll	GetThemeTextExtent, DrawThemeText, DrawThemeParentBackground, OpenThemeData, GetThemeBackgroundRegion, CloseThemeData, DrawThemeBackground, GetThemePartSize, GetThemeSysColor, IsThemeBackgroundPartiallyTransparent, IsAppThemed, GetWindowTheme, GetCurrentThemeName, GetThemeColor
IMM32.dll	ImmGetContext, ImmReleaseContext, ImmSetCompositionFontW, ImmSetCompositionWindow, ImmGetCompositionStringW, ImmNotifyIME, ImmGetOpenStatus
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteW, SHGetFileInfoW, SHAppBarMessage, SHBrowseForFolderW, DragFinish, DragQueryFileW, SHGetPathFromIDListW, SHGetDesktopFolder
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown, GdipDisposeImage
ADVAPI32.dll	RegDeleteValueW, RegCreateKeyExW, RegDeleteKeyW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegEnumKeyExW, RegCloseKey
MSIMG32.dll	TransparentBlt, AlphaBlend

Version Infos

Description	Data
LegalCopyright	Column tell Corporation. All rights reserved.
InternalName	arra.exe
FileVersion	10.7.14.75 built by: 39959
CompanyName	Column tell Corporation
ProductName	Column tell Column tell 2014
ProductVersion	10.7.14.75
FileDescription	Column tell Nine in
OriginalFilename	arra.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2021 04:05:17.927963018 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:17.968168020 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:17.968981028 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:17.971504927 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.011701107 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012576103 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012602091 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012618065 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.012722015 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.022810936 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.062938929 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.063695908 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.069999933 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.110133886 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.223429918 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.226116896 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.266465902 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385466099 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385489941 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385500908 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385516882 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385529995 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385548115 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385560989 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385569096 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385586023 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385592937 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.385724068 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.425858021 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425884962 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425900936 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425925016 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425942898 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425960064 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425976992 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.425988913 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.425993919 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426012993 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426023006 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426028967 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426043987 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426050901 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426063061 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426080942 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426083088 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426096916 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426112890 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426115990 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426127911 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426145077 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426147938 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426160097 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426176071 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426178932 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426197052 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.426203966 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.426253080 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466248035 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466281891 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466303110 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466329098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466351986 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466372967 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466384888 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466394901 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466417074 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466428041 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466438055 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466454983 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466459990 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466480970 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466507912 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466509104 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466531038 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466551065 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466573000 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466593981 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466614008 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466640949 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466643095 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466662884 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466682911 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466687918 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466710091 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466730118 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466734886 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466751099 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466772079 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466778994 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466790915 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466815948 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466835022 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466839075 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466861010 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466885090 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466886044 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466905117 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466912985 CET	49761	443	192.168.2.3	104.244.42.131
Jan 14, 2021 04:05:18.466926098 CET	443	49761	104.244.42.131	192.168.2.3
Jan 14, 2021 04:05:18.466944933 CET	49761	443	192.168.2.3	104.244.42.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2021 04:02:42.073015928 CET	60100	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:42.132333994 CET	53	60100	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:43.212511063 CET	53195	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:43.268817902 CET	53	53195	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:44.586344004 CET	50141	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:44.637275934 CET	53	50141	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:45.816457987 CET	53023	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:45.874295950 CET	53	53023	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:46.975577116 CET	49563	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:47.034167051 CET	53	49563	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:48.168927908 CET	51352	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:48.216887951 CET	53	51352	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:49.390399933 CET	59349	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:49.438287020 CET	53	59349	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:50.543476105 CET	57084	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:50.591331959 CET	53	57084	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:51.763727903 CET	58823	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:51.811760902 CET	53	58823	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:53.013219118 CET	57568	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:53.061137915 CET	53	57568	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:55.540607929 CET	50540	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:55.599895954 CET	53	50540	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:56.658823967 CET	54366	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:56.715101957 CET	53	54366	8.8.8.8	192.168.2.3
Jan 14, 2021 04:02:57.587508917 CET	53034	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:02:57.635356903 CET	53	53034	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:13.865518093 CET	57762	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:14.008744955 CET	53	57762	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:28.355820894 CET	55435	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:28.413849115 CET	53	55435	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:28.958537102 CET	50713	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:29.009180069 CET	53	50713	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:30.788479090 CET	56132	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:30.849518061 CET	53	56132	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:40.658459902 CET	58987	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:40.716289997 CET	53	58987	8.8.8.8	192.168.2.3
Jan 14, 2021 04:03:50.941011906 CET	56579	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:03:51.012018919 CET	53	56579	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:06.841526031 CET	60633	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:06.899365902 CET	53	60633	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:07.443937063 CET	61292	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:07.492047071 CET	53	61292	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:07.621474028 CET	63619	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:07.670430899 CET	53	63619	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:11.022910118 CET	64938	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:11.087511063 CET	53	64938	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:15.723376989 CET	61946	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:15.792798996 CET	53	61946	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:17.913858891 CET	64910	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:17.962712049 CET	53	64910	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:28.063801050 CET	52123	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:28.114609957 CET	53	52123	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:39.059943914 CET	56130	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:39.119180918 CET	53	56130	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:39.410049915 CET	56338	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:39.468117952 CET	53	56338	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:44.425735950 CET	59420	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:44.473823071 CET	53	59420	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:49.251020908 CET	58784	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:49.298911095 CET	53	58784	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:52.946593046 CET	63978	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:53.006309986 CET	53	63978	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:58.881520987 CET	62938	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:58.943303108 CET	53	62938	8.8.8.8	192.168.2.3
Jan 14, 2021 04:04:59.224991083 CET	55708	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:04:59.645874023 CET	53	55708	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:00.050563097 CET	56803	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:00.277928114 CET	53	56803	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:05.585212946 CET	57145	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:05.944235086 CET	53	57145	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:11.815483093 CET	55359	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:11.878107071 CET	53	55359	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:17.850574970 CET	58306	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:17.915168047 CET	53	58306	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:20.444683075 CET	64124	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:20.492532015 CET	53	64124	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:20.922383070 CET	49361	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:20.990811110 CET	53	49361	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:24.093696117 CET	63150	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:24.167789936 CET	53	63150	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:31.951855898 CET	53279	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:32.100008011 CET	53	53279	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:32.717174053 CET	56881	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:32.827061892 CET	53	56881	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:34.039890051 CET	53642	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:34.096226931 CET	53	53642	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:34.543354034 CET	55667	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:34.602196932 CET	53	55667	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:35.091520071 CET	54833	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:35.147965908 CET	53	54833	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:35.698450089 CET	62476	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:35.754991055 CET	53	62476	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:36.282718897 CET	49705	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:36.339052916 CET	53	49705	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:36.981055975 CET	61477	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:37.040271997 CET	53	61477	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:37.704214096 CET	61633	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:37.760768890 CET	53	61633	8.8.8.8	192.168.2.3
Jan 14, 2021 04:05:38.128257990 CET	55949	53	192.168.2.3	8.8.8.8
Jan 14, 2021 04:05:38.188183069 CET	53	55949	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2021 04:04:11.022910118 CET	192.168.2.3	8.8.8.8	0x3dd2	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:39.410049915 CET	192.168.2.3	8.8.8.8	0xc9d	Standard query (0)	support.oracle.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:52.946593046 CET	192.168.2.3	8.8.8.8	0xb677	Standard query (0)	www.oracle.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:58.881520987 CET	192.168.2.3	8.8.8.8	0x617f	Standard query (0)	www.intel.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:04:59.224991083 CET	192.168.2.3	8.8.8.8	0xa65d	Standard query (0)	www.intel.ch	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:00.050563097 CET	192.168.2.3	8.8.8.8	0x23d9	Standard query (0)	corpredirect.intel.com	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:05.585212946 CET	192.168.2.3	8.8.8.8	0x264b	Standard query (0)	gegemony4you.top	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.850574970 CET	192.168.2.3	8.8.8.8	0x9598	Standard query (0)	help.twitter.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2021 04:03:28.413849115 CET	8.8.8.8	192.168.2.3	0x99f8	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:06.899365902 CET	8.8.8.8	192.168.2.3	0x4b41	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:11.087511063 CET	8.8.8.8	192.168.2.3	0x3dd2	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:39.468117952 CET	8.8.8.8	192.168.2.3	0xc9d	No error (0)	support.oracle.com	support.oracle.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:53.006309986 CET	8.8.8.8	192.168.2.3	0xb677	No error (0)	www.oracle.com	ds-www.oracle.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:58.943303108 CET	8.8.8.8	192.168.2.3	0x617f	No error (0)	www.intel.com	intel11.cn.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:04:59.645874023 CET	8.8.8.8	192.168.2.3	0xa65d	No error (0)	www.intel.ch	intel19233.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:00.277928114 CET	8.8.8.8	192.168.2.3	0x23d9	No error (0)	corpredirect.intel.com	intel11.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:05.944235086 CET	8.8.8.8	192.168.2.3	0x264b	Name error (3)	gegemony4you.top	none	none	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	help.twitter.com	s.twitter.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.131	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.3	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.195	A (IP address)	IN (0x0001)
Jan 14, 2021 04:05:17.915168047 CET	8.8.8.8	192.168.2.3	0x9598	No error (0)	s.twitter.com		104.244.42.67	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 14, 2021 04:05:18.012618065 CET	104.244.42.131	443	192.168.2.3	49761	CN=*.twitter.com, OU=fra2, O="Twitter, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Mar 05 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Tue Mar 02 13:00:00 CET 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Jan 14, 2021 04:05:18.012618065 CET	104.244.42.131	443	192.168.2.3	49761	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: sample4.exe PID: 2100 Parent PID: 5880

General

Start time:	04:02:46
Start date:	14/01/2021
Path:	C:\Users\user\Desktop\sample4.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sample4.exe'
Imagebase:	0xd0000
File size:	2136576 bytes
MD5 hash:	5009B8BCF024704C8B23E42C492F118C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000003.362692606.0000000001320000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_IcedID_3, Description: Yara detected IcedID, Source: 00000000.00000002.551228989.00000000000D1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: WerFault.exe PID: 1488 Parent PID: 2100

General

Start time:	04:04:00
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 768
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5920 Parent PID: 2100

General

Start time:	04:04:08
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 804
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 620 Parent PID: 2100

General

Start time:	04:04:19
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 896
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5008 Parent PID: 2100

General

Start time:	04:04:29
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 924
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5764 Parent PID: 2100

General

Start time:	04:04:40
Start date:	14/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1224
Imagebase:	0x9e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sample4.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets