Play interactive tourEdit tour

Windows Analysis Report Renci.SshNet.Tests.dll

Overview

General Information

Sample Name:Renci.SshNet.Tests.dll (renamed file extension from dll to exe)
Analysis ID:554109
MD5:179ed06c51e66ecccc16b76016fda2a3
SHA1:57e491574060e80980245aa6ecbed6a0c94a7c17
SHA256:21d8ae198ce38d26ef956902c8b3a48e38eaf3c7c0a9e511168235dbb1ebf493
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Renci.SshNet.Tests.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\Renci.SshNet.Tests.exe" MD5: 179ED06C51E66ECCCC16B76016FDA2A3)
    • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 6636 cmdline: C:\Windows\system32\WerFault.exe -u -p 4636 -s 728 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Renci.SshNet.Tests.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Renci.SshNet.Tests.exeVirustotal: Detection: 21%Perma Link
Source: Renci.SshNet.Tests.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb& source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdb source: Renci.SshNet.Tests.exe
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.306167041.00000218BCB47000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb+ source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb0 source: WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdbSHA256 source: Renci.SshNet.Tests.exe
Source: Binary string: Renci.SshNet.Tests.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: version.pdb8 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: clr.pdb2 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb0 source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb11 source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: clr.pdb0 source: WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb, source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: Renci.SshNet.Tests.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS] source: WERC69.tmp.dmp.5.dr
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: Renci.SshNet.Tests.pdbD source: WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp
Source: WerFault.exe, 00000005.00000003.317148597.00000218BA9B4000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.318351591.00000218BA9B4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000005.00000002.318543207.00000218BC80E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: Renci.SshNet.Tests.exeString found in binary or memory: http://www.google.com/
Source: Renci.SshNet.Tests.exeString found in binary or memory: http://www.google.com/3Starting
Source: Renci.SshNet.Tests.exeString found in binary or memory: https://tools.ietf.org/html/rfc4253#sec
Source: Renci.SshNet.Tests.exeString found in binary or memory: https://tools.ietf.org/html/rfc4253#sectio
Source: Renci.SshNet.Tests.exeString found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2
Source: Renci.SshNet.Tests.exe, 00000000.00000002.319623439.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRenci.SshNet.Tests.dllF vs Renci.SshNet.Tests.exe
Source: Renci.SshNet.Tests.exe, 00000000.00000000.299791553.0000000001379000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Renci.SshNet.Tests.exe
Source: Renci.SshNet.Tests.exeBinary or memory string: OriginalFilenameRenci.SshNet.Tests.dllF vs Renci.SshNet.Tests.exe
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4636 -s 728
Source: Renci.SshNet.Tests.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: Renci.SshNet.Tests.exeVirustotal: Detection: 21%
Source: Renci.SshNet.Tests.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Renci.SshNet.Tests.exe "C:\Users\user\Desktop\Renci.SshNet.Tests.exe"
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4636 -s 728
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_01
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4636
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC69.tmpJump to behavior
Source: classification engineClassification label: mal56.winEXE@3/6@0/0
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Renci.SshNet.Tests.exeStatic file information: File size 1233920 > 1048576
Source: Renci.SshNet.Tests.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Renci.SshNet.Tests.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Renci.SshNet.Tests.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ca00
Source: Renci.SshNet.Tests.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Renci.SshNet.Tests.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb& source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdb source: Renci.SshNet.Tests.exe
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: kernel32.pdb source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.306167041.00000218BCB47000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb+ source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb0 source: WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdbSHA256 source: Renci.SshNet.Tests.exe
Source: Binary string: Renci.SshNet.Tests.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: version.pdb8 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: clr.pdb2 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb0 source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb11 source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: clr.pdb0 source: WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb, source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: Renci.SshNet.Tests.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS] source: WERC69.tmp.dmp.5.dr
Source: Binary string: kernel32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: Renci.SshNet.Tests.pdbD source: WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp
Source: Renci.SshNet.Tests.exeStatic PE information: 0xA2E625E9 [Tue Aug 8 20:26:17 2056 UTC]
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000005.00000002.318473286.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316961527.00000218BC7C8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW4OT
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: VMware7,1
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.318473286.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316961527.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316977470.00000218BC7DF000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.318509417.00000218BC7E8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.5.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeMemory allocated: page read and write | page guardJump to behavior
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Progman
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeQueries volume information: C:\Users\user\Desktop\Renci.SshNet.Tests.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.5.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554109 Sample: Renci.SshNet.Tests.dll Startdate: 17/01/2022 Architecture: WINDOWS Score: 56 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 Renci.SshNet.Tests.exe 1 2->6         started        process3 process4 8 WerFault.exe 20 9 6->8         started        10 conhost.exe 6->10         started       

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
SourceDetectionScannerLabelLink
Renci.SshNet.Tests.exe21%VirustotalBrowse
Renci.SshNet.Tests.exe100%AviraHEUR/AGEN.1143520
No Antivirus matches
SourceDetectionScannerLabelLinkDownload
0.0.Renci.SshNet.Tests.exe.da0000.2.unpack100%AviraHEUR/AGEN.1143520Download File
0.0.Renci.SshNet.Tests.exe.da0000.1.unpack100%AviraHEUR/AGEN.1143520Download File
0.2.Renci.SshNet.Tests.exe.da0000.0.unpack100%AviraHEUR/AGEN.1143520Download File
0.0.Renci.SshNet.Tests.exe.da0000.0.unpack100%AviraHEUR/AGEN.1143520Download File
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
    high
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
      high
      http://www.google.com/3StartingRenci.SshNet.Tests.exefalse
        high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
          high
          https://tools.ietf.org/html/rfc4253#section-4.2Renci.SshNet.Tests.exefalse
            high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
              high
              http://schemas.xmlsoap.org/ws/2004/09/policyWerFault.exe, 00000005.00000002.318543207.00000218BC80E000.00000004.00000001.sdmpfalse
                high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                        high
                        http://upx.sf.netAmcache.hve.5.drfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                                  high
                                  https://tools.ietf.org/html/rfc4253#secRenci.SshNet.Tests.exefalse
                                    high
                                    https://tools.ietf.org/html/rfc4253#sectioRenci.SshNet.Tests.exefalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.google.com/Renci.SshNet.Tests.exefalse
                                            high
                                            No contacted IP infos

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:554109
                                            Start date:17.01.2022
                                            Start time:09:19:09
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 6m 49s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:Renci.SshNet.Tests.dll (renamed file extension from dll to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:20
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal56.winEXE@3/6@0/0
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 90.6% (good quality ratio 90.6%)
                                            • Quality average: 75.6%
                                            • Quality standard deviation: 10.7%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                            • Execution Graph export aborted for target Renci.SshNet.Tests.exe, PID 4636 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            TimeTypeDescription
                                            09:20:19API Interceptor1x Sleep call for process: WerFault.exe modified
                                            No context
                                            No context
                                            No context
                                            No context
                                            No context
                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Renci.SshNet.Tes_eddc796223d0a31a9bec2598964dbb2f130f886_43f7664c_19031ff1\Report.wer
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):0.8458961382156898
                                            Encrypted:false
                                            SSDEEP:96:8nF1/e1XdEUgkkzxDi5TzpXIQcQ1c6mcEMcw3K+BHUHZ0ownOgFkEwk6aOEXCkO1:6Xe1Xdru4HbiGJa15/u7sBS274lt6p
                                            MD5:862E4A70177590A65F5B9CDD92840B22
                                            SHA1:2C3820B8D1819EF8B6795193553AD54D693AB2CA
                                            SHA-256:8200E392FCDE54F284C8D848CB230F199182A3639DF68E381F5C514C48ABBB9C
                                            SHA-512:572A9172A8BA33E18D4045CE0E23ECB405A014271935D6A5C01D1EBDFA87DF7FA5F4376FD80FD5E4A7A76E3652A70E708D8A12DF750DFAFD1814A45F7EA46A58
                                            Malicious:false
                                            Reputation:low
                                            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.9.1.3.6.1.4.0.3.2.2.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.9.1.3.6.1.7.5.7.9.0.8.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.5.1.3.e.1.2.-.c.5.8.0.-.4.d.4.3.-.b.1.7.e.-.d.1.e.4.6.3.4.d.e.1.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.8.3.2.9.f.0.-.0.f.2.a.-.4.0.e.5.-.9.a.d.d.-.5.5.6.7.2.8.2.c.d.d.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.e.n.c.i...S.s.h.N.e.t...T.e.s.t.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.n.c.i...S.s.h.N.e.t...T.e.s.t.s...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.1.c.-.0.0.0.1.-.0.0.1.c.-.9.5.6.e.-.e.8.7.9.c.6.0.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.2.c.3.e.b.0.0.3.8.5.5.7.3.b.8.e.9.0.0.0.1.0.9.b.d.4.5.2.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.5.7.e.4.9.1.5.7.4.0.6.0.e.8.0.9.8.0.2.4.5.a.a.6.e.c.b.e.d.6.a.0.c.
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A4.tmp.WERInternalMetadata.xml
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8766
                                            Entropy (8bit):3.7062994674190435
                                            Encrypted:false
                                            SSDEEP:192:Rrl7r3GLNif0z6YFk0qUGhgmfLY4aSUCprRH89bHysfVXtm:RrlsNicz6Ym0qU+gmfLY4aS1YHZfW
                                            MD5:7C0D96CD6DEFB8D29D8D4A55FCA61495
                                            SHA1:FA46CB4B4C32EF4061DF0EFB04807399DAD5DA25
                                            SHA-256:DF6DE302DC054EB62E2DD462BBC75A465B658362F5C5D70E9D1087FBCABE54EF
                                            SHA-512:39E69FF449E3605364B793D3C15BABD3A3CFDE17CBB8E372DBC7BFBC4FA4ADE580A86FEBDD62C8E55C3A5910DAEA9A60A5F8A6143C747EB05CD3B6D8BE24E2D2
                                            Malicious:false
                                            Reputation:low
                                            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.3.6.<./.P.i.d.>.......
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER146A.tmp.xml
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4749
                                            Entropy (8bit):4.501797831808934
                                            Encrypted:false
                                            SSDEEP:48:cvIwSD8zsKJgtBI9HsTDSWSC8BfM8fm8M4J5NFvyq853Ad9kdhZd:uITfY1sTnSNZxJxjTkdhZd
                                            MD5:7EC5E7A9FE812E0F6CDCA73776EB4DEE
                                            SHA1:75CEB2F2455C7AA16A6705635F153440414AF63F
                                            SHA-256:A10E9E69DB2D21821A596C933AD11609C07F9613F2C86A5D48242032EC40489A
                                            SHA-512:2D9CB385686F8BF50E6ED40BBB18DB365ECE7B9C1278A4EA5C819C5A08F8F3F0E53BE5834866D40087379206DF3CD3EE7FFCCBE11E5D4E718095856AD630FC36
                                            Malicious:false
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1346550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC69.tmp.dmp
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:Mini DuMP crash report, 16 streams, Mon Jan 17 17:20:14 2022, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):196339
                                            Entropy (8bit):2.4719933963374956
                                            Encrypted:false
                                            SSDEEP:768:kUhXj98NlvBTHiEDgVjnx9ysZ7EYIfY73rt1zSmwZkPdZpWsc1emFvxibhWrxq:k/BmFT9y+LwYTB12PZkl9c1robqxq
                                            MD5:D3A53059CBCE06F84034DC8FB28600CD
                                            SHA1:CD4DC93FC7FA7E601EE24E0733D5CDE71BE701C8
                                            SHA-256:7ADB523604498FF146AAE0D6CB6DC40120E94E4707C89B1D9023A041373DF944
                                            SHA-512:3D5AA920D7D372BD16DBAF9412378D3598B576A737E0067C477CA545122FF28BA2E4C4336ABB765FAEA2E5B31E5930185BAE59E40CD834FFF733D48444505E12
                                            Malicious:false
                                            Reputation:low
                                            Preview: MDMP....... .......N..a............$...............D.......$...\.......L...........d....>..........l.......8...........T............................................................................................................U...........B......P.......Lw......................T...........H..a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Windows\appcompat\Programs\Amcache.hve
                                            Process:C:\Windows\System32\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1572864
                                            Entropy (8bit):4.270405091262286
                                            Encrypted:false
                                            SSDEEP:12288:7wD0Th312ap8TSP5ve7dcb5GMtzr8VxmoKwPjMQ2ZlPfq+kwX2jeL:UD0Th312ap8TSPd5
                                            MD5:2FEFA8E0AD74A260F76D6A6A1E02773B
                                            SHA1:526CA28241061955A6B1F0B8FE229A0781F8C7E6
                                            SHA-256:D84CE9CC27DCE21B8631760027E2153772FE5A1B99BC6CA86F9B57ADE7400439
                                            SHA-512:83385C2685FB242AF1149DC440EA74AA6263768E7288E9FC1F3ED4658D21244DB0E1D87449374BE3447D6EA1E2A776E56D2FA3A600957CC6442A6F8F76D889A8
                                            Malicious:false
                                            Reputation:low
                                            Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...|................................................................................................................................................................................................................................................................................................................................................,.t!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            \Device\ConDrv
                                            Process:C:\Users\user\Desktop\Renci.SshNet.Tests.exe
                                            File Type:ASCII text
                                            Category:dropped
                                            Size (bytes):242
                                            Entropy (8bit):4.879694892075436
                                            Encrypted:false
                                            SSDEEP:6:WsTbZqbbUcfvfAQDLyQ12MUAvv3XBJpQWoJPr:2HfvfBDLyPMbrQ1T
                                            MD5:968267B112A18CDB20F47CC91936B052
                                            SHA1:982AB14C1FEDF39D26FEC7BDA79EA06070CA347D
                                            SHA-256:5B876909EC9F4421DC4EF07E9C131A90EE661E4C940DA295648C255BCD8BAF1E
                                            SHA-512:B16BF16C70C05BEF396190EB3B1A148758BB2DFE5679F59A979B638A285D080D334D99A38BA0F5BE791FE900B96D115D59ABFD4AF24683D7B9980C3E618C8F80
                                            Malicious:false
                                            Reputation:low
                                            Preview: .Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=4.2.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified..

                                            Static File Info

                                            General

                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.752941368597111
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:Renci.SshNet.Tests.exe
                                            File size:1233920
                                            MD5:179ed06c51e66ecccc16b76016fda2a3
                                            SHA1:57e491574060e80980245aa6ecbed6a0c94a7c17
                                            SHA256:21d8ae198ce38d26ef956902c8b3a48e38eaf3c7c0a9e511168235dbb1ebf493
                                            SHA512:7f62afb37387be7a4ef451006311ea0f5fd26d391fec0602f6c352cc1bf7de1f57c7fbc4ae12050ee9163c6804478c204203c972cff449f83831609417f7bde2
                                            SSDEEP:12288:+C8y3muQI2u+QwqTXlb/Q6PFzpbuk1bSlvhId8//ffL+xxwKM:+0bVbukpSlC+//ffaxxwK
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%............"...0.................. ........@.. .......................@......Q.....@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            General

                                            Entrypoint:0x52cfa2
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0xA2E625E9 [Tue Aug 8 20:26:17 2056 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [00402000h]
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12cf4f0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x5b4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x12ce280x54.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x12c8500x12ca00False0.232697992464data5.75606400964IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x1300000x5b40x600False0.40234375data4.07012289885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1320000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x1300900x324data
                                            RT_MANIFEST0x1303c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                            DLLImport
                                            mscoree.dll_CorExeMain
                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyright
                                            Assembly Version1.0.0.0
                                            InternalNameRenci.SshNet.Tests.dll
                                            FileVersion1.0.0.0
                                            CompanyNameRenci.SshNet.Tests
                                            ProductNameRenci.SshNet.Tests
                                            ProductVersion1.0.0
                                            FileDescriptionRenci.SshNet.Tests
                                            OriginalFilenameRenci.SshNet.Tests.dll

                                            Network Behavior

                                            No network behavior found

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            • File
                                            • Registry

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Start time:09:20:08
                                            Start date:17/01/2022
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Start time:09:20:12
                                            Start date:17/01/2022
                                            Path:C:\Windows\System32\WerFault.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\WerFault.exe -u -p 4636 -s 728
                                            Imagebase:0x7ff7a47d0000
                                            File size:494488 bytes
                                            MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            Disassembly

                                            Code Analysis