Play interactive tour

Edit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	328082
MD5:	550715ca9f26b33f444f1f24e98da7f1
SHA1:	c93ba40fb1b7465dcb6c238ce40374f7cf860a41
SHA256:	dd4d08f75e51e47cc3a43c3ca2d9f754602adf020083fc7671b762a1b285f5c1
Tags:	exe
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains very large strings

Machine Learning detection for sample

Checks if the current process is being debugged

Detected potential crypto function

Enables debug privileges

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

PO.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 550715CA9F26B33F444F1F24E98DA7F1)

WerFault.exe (PID: 3124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1248 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PO.exe

ReversingLabs: Detection: 12%

Machine Learning detection for sample

Show sources

Source: PO.exe

Joe Sandbox ML: detected

Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: PO.exe, 00000000.00000002.687593512.0000000002D51000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

System Summary:

.NET source code contains very large strings

Show sources

Source: PO.exe, LSATRANSLATEDSID2/ExtensibleClassFactory.cs	Long String: Length: 81136
Source: 0.2.PO.exe.9f0000.0.unpack, LSATRANSLATEDSID2/ExtensibleClassFactory.cs	Long String: Length: 81136
Source: 0.0.PO.exe.9f0000.0.unpack, LSATRANSLATEDSID2/ExtensibleClassFactory.cs	Long String: Length: 81136

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00A8D80B	0_2_00A8D80B
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0146C2B0	0_2_0146C2B0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_01469970	0_2_01469970
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_009F2672	0_2_009F2672

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1248

Source: PO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PO.exe, 00000000.00000002.683966050.0000000000AC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIIterator.exe< vs PO.exe
Source: PO.exe, 00000000.00000002.689113119.0000000005DF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNT1.dll, vs PO.exe
Source: PO.exe	Binary or memory string: OriginalFilenameIIterator.exe< vs PO.exe

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal56.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6076

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA80.tmp

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO.exe

ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1248

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbX source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.662696714.00000000049D8000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.669427917.0000000002C80000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbp source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.pdb* source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb'i source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000003.00000003.669427917.0000000002C80000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb& source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.Core.pdb1 source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: untime.Remoting.pdbn source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.663297436.0000000002B35000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbZ source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.Runtime.Remoting.pdb%q source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: shell32.pdbx source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbB source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdbt source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb: source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbP source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdbd source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb< source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.669433151.0000000002C84000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: oleaut32.pdb{+0r source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.663101182.0000000002B2F000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdbS*9R source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: version.pdb( source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.669427917.0000000002C80000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbn source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdbS#9[ source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb{{ source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbv source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.663597221.0000000002B23000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.669427917.0000000002C80000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0 source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: symbols\dll\Microsoft.VisualBasic.pdb source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: version.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: onfiguration.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.669427917.0000000002C80000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.669355952.0000000004E51000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.663297436.0000000002B35000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000003.00000003.669433151.0000000002C84000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.pdb`f"l0 source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: PO.PDBOT source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000003.00000002.682669834.0000000005490000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000003.00000003.669282501.0000000002C81000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: PO.exe, 00000000.00000002.684154270.0000000000EF8000.00000004.00000010.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 00000003.00000003.669269851.0000000002C94000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdbS#9[_ source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbF source: WERBA80.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp, WERBA80.tmp.dmp.3.dr
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.669301875.0000000002C87000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_0146FD22 push eax; retf

0_2_0146FD51

Source: initial sample

Static PE information: section name: .text entropy: 7.43288688489

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe TID: 6128

Thread sleep time: -53472s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Jump to behavior

Source: WerFault.exe, 00000003.00000002.681774724.0000000004BC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000002.681690846.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.681690846.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(*?
Source: WerFault.exe, 00000003.00000002.681774724.0000000004BC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.681774724.0000000004BC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.680581198.0000000002B5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(-
Source: WerFault.exe, 00000003.00000002.681774724.0000000004BC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection1	Modify Registry1	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Information Discovery22	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.exe	12%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
PO.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000000.00000002.687593512.0000000002D51000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000003.00000003.667684871.00000000051A0000.00000004.00000001.sdmp	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	328082
Start date:	08.12.2020
Start time:	15:22:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@2/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 40.88.32.150, 104.43.193.48, 51.11.168.160, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 51.104.139.180, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:23:18	API Interceptor	1x Sleep call for process: PO.exe modified
15:23:29	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PO.exe_b61b5925d12bea831d1ed9e9abf34d8dc4a01a42_d06dbf7b_0c45d701\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14162
Entropy (8bit):	3.771449640123083
Encrypted:	false
SSDEEP:	192:nkoBVokHBUZMXyaKeCiyq/u7s5S274ItZ5:koB+sBUZMXyaF/u7s5X4ItZ5
MD5:	828F1AA8F65AAB73F62747645366C906
SHA1:	206D96EFF30DA49D1D0F5ADAD18031E9B4893E3E
SHA-256:	868A358E7AC43EB5B970A5231C12E57ECE4A1C2A1CEA5036E27CE90CF04B1C70
SHA-512:	7683A941AE549A01008804BF35BE347BFD168D3CFD11C1DFE9FAAE54D0F9B5571A3F32ABF8A79BBFB1900DF8886CF4287951311CB43C728D06C3C9B926C50B15
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.1.9.1.1.0.0.2.3.8.9.2.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.1.9.1.1.0.0.8.2.9.5.4.5.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.8.5.a.6.b.2.-.5.7.1.0.-.4.2.0.4.-.a.d.1.2.-.0.0.1.5.1.a.e.1.e.8.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.8.2.a.c.e.0.-.2.b.3.1.-.4.6.b.1.-.b.6.5.d.-.7.0.7.e.8.c.8.0.3.b.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.O...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.I.t.e.r.a.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.b.c.-.0.0.0.1.-.0.0.1.b.-.2.8.8.e.-.d.b.a.a.6.d.c.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.0.8.d.d.3.f.e.6.b.1.1.3.e.4.9.9.a.b.f.f.0.8.d.4.f.d.c.e.7.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.c.9.3.b.a.4.0.f.b.1.b.7.4.6.5.d.c.b.6.c.2.3.8.c.e.4.0.3.7.4.f.7.c.f.8.6.0.a.4.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA80.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 8 14:23:24 2020, 0x1205a4 type
Category:	dropped
Size (bytes):	254233
Entropy (8bit):	4.451134244526187
Encrypted:	false
SSDEEP:	3072:2+ZxoKmghyiEKDB0l2jd+p/wY9LLNR9gIOgF5JTjx6is0fGUCgUvMDHoBOito:hZiKmQ0xpDLNR9RpDJtsNTjvKHgC
MD5:	336704949E6E5F56710561D85B5460AD
SHA1:	AC6041C765199F30151008FA53A838890D7D0323
SHA-256:	310065F69AD4B5238010BD4C927CF396BF762082AFE0DC621978AC7809548269
SHA-512:	F5DADA67551C127208A80ED26A3EFBB9C25A78E57BBE41F107F03B68C4190F6637EB51FD7C1A7244C71E56D33281E2CE120590A0059DA4E09A967507D954A5AE
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......\.._...................U...........B......$"......GenuineIntelW...........T...........S.._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4A3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.706754769110284
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiBp6ile6YrsSUVktGgmfZ1YS/+pr589bSRsfVGm:RrlsNiP6R6YwSUVvgmfbYStSKfd
MD5:	93F3E07181E254F26005E0F368E086CD
SHA1:	8E97D7EE5A8990420B1B52D6E09B5B46F5493C38
SHA-256:	BC999AD66FFAD76805E03FA7690A34D92E0C07E08D2DE7CF7E6636649DCF7D71
SHA-512:	73BAF09D54E1455B56254801E2BF4770DA3491ECB8B6D8158398D853F37FEE747A3C365C98E954D0D4D09680CD86449A26D19507A386E402F26ACBE0274907B5
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC763.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4713
Entropy (8bit):	4.494410746157191
Encrypted:	false
SSDEEP:	48:cvIwSD8zskJgtWI9cSWSC8B18fm8M4Jw+8F3+q8vCotAv+qd:uITfijzSNcJwbKhOv+qd
MD5:	B6D07CB3F890531640F3D015F0CAE7E2
SHA1:	BCF4FFC86FC0B8182B21619B290A7261DFD94745
SHA-256:	2BCB3338C5D5C7BF2AD69AAA106B4AD72118988321EAE6F264ACA2BCD77D1B0F
SHA-512:	5A9ABE10272CCD0CFB75237D04751537296DB2AE035EBAA6A7219776AA927E7BA6F21B863F9A3C4125FCF79452A4EF67275B5BBB99FF4F5DFC1C4EEA0DB4C85A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="763174" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.399028917886387
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO.exe
File size:	872448
MD5:	550715ca9f26b33f444f1f24e98da7f1
SHA1:	c93ba40fb1b7465dcb6c238ce40374f7cf860a41
SHA256:	dd4d08f75e51e47cc3a43c3ca2d9f754602adf020083fc7671b762a1b285f5c1
SHA512:	e1a7d28b9085189970afb428ae40f5fdbff0e617c4d1e5e14bf83af0f4668089f23de695c647ae86c84b85cf74d9804624b69018a582ae0c2316908a189af158
SSDEEP:	12288:jCwER5wcQBuC/cQpoaOtPis35lhLayTlO/YTlQYwhS+TPMvhrx/ddJrH3rblh4ip:jCJCBuCTpuPxnLHTlQYwlMvdxlXPbly
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................f......N.... ........@.. ....................................@................................

File Icon


Icon Hash:	aa8cae8e96b28aa6

Static PE Info

General
Entrypoint:	0x4d064e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FCEAEF6 [Mon Dec 7 22:38:46 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd05f8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x6400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xce654	0xce800	False	0.820317229116	data	7.43288688489	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xd2000	0x6400	0x6400	False	0.1905859375	data	4.94252971597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xd2280	0xea8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd3128	0x6c8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd37f0	0x5d8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd3dc8	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xd4330	0x25a8	data
RT_ICON	0xd68d8	0x988	data
RT_ICON	0xd7260	0x580	data
RT_ICON	0xd77e0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xd7c48	0x76	data
RT_VERSION	0xd7cc0	0x394	data
RT_MANIFEST	0xd8054	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Hewlett-Packard Company 2011 - 2020
Assembly Version	1.0.0.0
InternalName	IIterator.exe
FileVersion	1.0.0.0
CompanyName	Hewlett-Packard Company
LegalTrademarks
Comments
ProductName	StudentClient
ProductVersion	1.0.0.0
FileDescription	StudentClient
OriginalFilename	IIterator.exe

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2020 15:23:09.669970036 CET	56794	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:09.697164059 CET	53	56794	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:10.397782087 CET	56534	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:10.433106899 CET	53	56534	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:11.058717012 CET	56627	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:11.085932016 CET	53	56627	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:11.819809914 CET	56621	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:11.846868992 CET	53	56621	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:12.677201986 CET	63116	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:12.704165936 CET	53	63116	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:13.345597029 CET	64078	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:13.372582912 CET	53	64078	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:14.230240107 CET	64801	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:14.257285118 CET	53	64801	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:14.926644087 CET	61721	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:14.953675032 CET	53	61721	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:15.800645113 CET	51255	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:15.827882051 CET	53	51255	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:16.524369955 CET	61522	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:16.559890032 CET	53	61522	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:17.199148893 CET	52337	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:17.226057053 CET	53	52337	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:28.451515913 CET	55046	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:28.478562117 CET	53	55046	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:35.930185080 CET	49612	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:35.957263947 CET	53	49612	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:55.392997980 CET	49285	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:55.420098066 CET	53	49285	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:56.266916037 CET	50601	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:56.294003963 CET	53	50601	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:56.799809933 CET	60875	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:56.835303068 CET	53	60875	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:57.147749901 CET	56448	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:57.183629990 CET	53	56448	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:57.357686043 CET	59172	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:57.407706976 CET	53	59172	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:57.561146975 CET	62420	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:57.596868992 CET	53	62420	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:58.028712034 CET	60579	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:58.064292908 CET	53	60579	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:58.520294905 CET	50183	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:58.555744886 CET	53	50183	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:59.002825022 CET	61531	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:59.040030956 CET	53	61531	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:59.119720936 CET	49228	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:59.155344009 CET	53	49228	8.8.8.8	192.168.2.4
Dec 8, 2020 15:23:59.157334089 CET	59794	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:23:59.192663908 CET	53	59794	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:00.226896048 CET	55916	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:00.262681007 CET	53	55916	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:00.673923969 CET	52752	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:00.711771965 CET	53	52752	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:12.497333050 CET	60542	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:12.524502039 CET	53	60542	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:12.808968067 CET	60689	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:12.844575882 CET	53	60689	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:17.396388054 CET	64206	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:17.432048082 CET	53	64206	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:46.805531979 CET	50904	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:46.832552910 CET	53	50904	8.8.8.8	192.168.2.4
Dec 8, 2020 15:24:48.631931067 CET	57525	53	192.168.2.4	8.8.8.8
Dec 8, 2020 15:24:48.667468071 CET	53	57525	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

• PO.exe
• WerFault.exe

Click to jump to process

Memory Usage

• PO.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• PO.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: PO.exe PID: 6076 Parent PID: 5900

Function Logs

General

Start time:	15:23:15
Start date:	08/12/2020
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.exe'
Imagebase:	0x9f0000
File size:	872448 bytes
MD5 hash:	550715CA9F26B33F444F1F24E98DA7F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: WerFault.exe PID: 3124 Parent PID: 6076

Function Logs

General

Start time:	15:23:20
Start date:	08/12/2020
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1248
Imagebase:	0x220000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: PO.exe PID: 6076 Parent PID: 5900 PO.exeCOMMON

Executed Functions

Function 0146BBB8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0146BE0E

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff13bfcb8cb29ae8fcd6324acfedfac6a7f4fb40faa59197dfc3a4e33d87b54e
Instruction ID: a282500b8046a39f5bf6f908f85d586e3c4485668af0c261a7a06bcbdebfb3ad
Opcode Fuzzy Hash: ff13bfcb8cb29ae8fcd6324acfedfac6a7f4fb40faa59197dfc3a4e33d87b54e
Instruction Fuzzy Hash: 867125B0A00B058FD724CF2AD54576BBBF5FF48208F008A2ED586D7B50DB75E9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 0146B1EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0146DD8A

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dea5e670241726141f58d24874863160d25942da52798bedefa9970695bd32a2
Instruction ID: d5982f24aa2b6d6f707d148bb9d74894bf862ef884b231e2fc861be3c1a5d714
Opcode Fuzzy Hash: dea5e670241726141f58d24874863160d25942da52798bedefa9970695bd32a2
Instruction Fuzzy Hash: 1B51C0B1D00309EFDB14CFA9C884ADEBBB5BF48314F64822AE819AB210D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0146DC6D, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0146DD8A

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b64ffcdd72bdf06d8889723116b67ef8b67d47417ceccfc944cab109217212aa
Instruction ID: 30a256ba18360d311e25b06aef2612ef1c4975f7b2a10d377e094dc37aca62bd
Opcode Fuzzy Hash: b64ffcdd72bdf06d8889723116b67ef8b67d47417ceccfc944cab109217212aa
Instruction Fuzzy Hash: DD51CEB1D00319DFDB14CFA9C884ADEBBB5BF48314F24862AE819AB250D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01466D49, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01466E47

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62e3764b70db1db9bcec18377d7e8cbd1fd9605b22596b3a7a90367064395ba9
Instruction ID: fa9059a0eda7b95c0415049502a651b725148acd10e489d5ef4fe76d2bbe2c86
Opcode Fuzzy Hash: 62e3764b70db1db9bcec18377d7e8cbd1fd9605b22596b3a7a90367064395ba9
Instruction Fuzzy Hash: 70414AB69002199FCB01CFA9D984ADEBFF9FF48314F05805AE904A7360C3359955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01466DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01466E47

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 502a7fbf32f396abd3505d05c1b4bbc569b19734812486668294b4ef37440ce2
Instruction ID: 240e3f922bc09b0f0dd44e3dcf862ab7b10a6fdf6ee9203a37cead9c3908ed9e
Opcode Fuzzy Hash: 502a7fbf32f396abd3505d05c1b4bbc569b19734812486668294b4ef37440ce2
Instruction Fuzzy Hash: 6E21E3B59002189FDB10CFAAD984ADEBBF8FF48324F15842AE915A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01466DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01466E47

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d27ff923dddc90b04bc07ac4fa951bc444910f9b4e8322ad9e60e896fd27b9b
Instruction ID: 87ea445df8d63138d383f79140c5b6ca4dd3e850dc6dc8ac974cad36e5ba60b4
Opcode Fuzzy Hash: 4d27ff923dddc90b04bc07ac4fa951bc444910f9b4e8322ad9e60e896fd27b9b
Instruction Fuzzy Hash: 6A21D3B5D002589FDB10CFAAD984ADEFBF8FB48324F15841AE915A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0146BE89,00000800,00000000,00000000), ref: 0146C09A

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4f62c4fda94967f6cfdf83197ef6fd503283029a5dedd564cf99c5c71e5b8edc
Instruction ID: 26cd9b4578f7e561993aa85e282ec8379d808be111d3d6b43611caaa79f922ad
Opcode Fuzzy Hash: 4f62c4fda94967f6cfdf83197ef6fd503283029a5dedd564cf99c5c71e5b8edc
Instruction Fuzzy Hash: 2C1114B6D042498FDB10CF9AD484BDEFBF8FB49324F04842AE555A7210C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0146C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0146BE89,00000800,00000000,00000000), ref: 0146C09A

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dd3e677a5364a309ebd4de3680741a8cd25404559443d05b756e696b132afa04
Instruction ID: 958bff597ded94fecd48f64a81d8b85598af697b85acca6dd845a6d57f3804e9
Opcode Fuzzy Hash: dd3e677a5364a309ebd4de3680741a8cd25404559443d05b756e696b132afa04
Instruction Fuzzy Hash: 141112B6C002098FDB14CFAAC488BDEFBF8EB89324F15852AE555A7210C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0146BE0E

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a8263c4f5d04d576ac5d5159f4e20dd3b6f6b94d01a0832482069e459416e2a
Instruction ID: 3d17630416213ba61133de60e119a5f0d938ea5c55d34f21b47d70b02ac407b6
Opcode Fuzzy Hash: 7a8263c4f5d04d576ac5d5159f4e20dd3b6f6b94d01a0832482069e459416e2a
Instruction Fuzzy Hash: D311E0B6D006498FDB10CF9AD844BDFFBF8EB88224F14842AD919A7710D374A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.684266130.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e300c11e108a00ade53911910532204f36f0fd17d173ff4bc6195fe349bd85
Instruction ID: 678648340d50cfa61e4bf6c57f78f65e33a54afbbd30cb759b63b0acd667a356
Opcode Fuzzy Hash: 46e300c11e108a00ade53911910532204f36f0fd17d173ff4bc6195fe349bd85
Instruction Fuzzy Hash: 60214CB2904204DFDB25CF10D9C0F16BF65FB88329F388569EE054B206D336D859EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.684297271.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc663707846b3c3668f9ff0d051520852191f5270b158365ad1f8a7df69d6a21
Instruction ID: 9b1f1abf50ccc3dca5784e6c1965b3f13ad29e737565a9fe41aad1de44b0cd32
Opcode Fuzzy Hash: fc663707846b3c3668f9ff0d051520852191f5270b158365ad1f8a7df69d6a21
Instruction Fuzzy Hash: 9F2107B5E04244EFCB14CF20D4C4B26BB65FB88324F24C569E94A4B24AC377D847EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.684297271.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c4ef24e39145f769f6984e94f652fd311a62c574b995da5cb2d657437a1120
Instruction ID: cdc7c49dbed3c742e85cb4a4e1345c478ee463d32e6f0789d957ff75e319ffee
Opcode Fuzzy Hash: d9c4ef24e39145f769f6984e94f652fd311a62c574b995da5cb2d657437a1120
Instruction Fuzzy Hash: 2E2165759093C09FCB12CF24D594715BF71EF46324F28C5EAD8458B657C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F5D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.684266130.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction ID: d1364132e7559c0817da490019386274b0942cd82b8ce653cbc3121a4121060c
Opcode Fuzzy Hash: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction Fuzzy Hash: 9511D376805280CFCB16CF10D5C4B16BF71FB98325F2886A9DD450B616C33AD85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0146C2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908e3a447af3e8b371bfaf24fb5fdbd8c34527e5adc355946c51b9074571c127
Instruction ID: 5f70ae258cb672423a7c40802af31d8ded577165efbaa3fb94a61290e2169917
Opcode Fuzzy Hash: 908e3a447af3e8b371bfaf24fb5fdbd8c34527e5adc355946c51b9074571c127
Instruction Fuzzy Hash: DD529DB0521706CBD322CF14E4C81993BB1FB41329B93421AD1715F6E8E3B8656EEF4A

Uniqueness

Uniqueness Score: -1.00%

Function 01469970, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687413040.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d631941c857a1c394a2c37cce689f689e729dbfb2aaa12be16a06fc576de3807
Instruction ID: cf5de20f7f23adf0197494b479fa51b1a875850e94424ec6838e2204dadfae20
Opcode Fuzzy Hash: d631941c857a1c394a2c37cce689f689e729dbfb2aaa12be16a06fc576de3807
Instruction Fuzzy Hash: A5A19C32E0061ACFCF05CFB9C8445DEBBB6FF95308B15816AE905BB261EB35A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D80B, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682909143.00000000009F2000.00000002.00020000.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000000.00000002.682885690.00000000009F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.683966050.0000000000AC2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40051edc56f45d5286d0a274b9e97fa13ca6e44dbd791542557239bba2cdd9fa
Instruction ID: 06e83758e5b90ae81b688ca4696cbe9383b92d8e239b52478b319aac6d548b2c
Opcode Fuzzy Hash: 40051edc56f45d5286d0a274b9e97fa13ca6e44dbd791542557239bba2cdd9fa
Instruction Fuzzy Hash: B8714A7148E3C19FD3438B748C651C27FB1AE1722472A85EED4C58F4A3E2AE5896CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: PO.exe PID: 6076 Parent PID: 5900

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Volume Information Queried