Create Interactive Tour

Windows Analysis Report Renci.SshNet.Tests.dll

Overview

General Information

Sample Name:	Renci.SshNet.Tests.dll (renamed file extension from dll to exe)
Analysis ID:	554109
MD5:	179ed06c51e66ecccc16b76016fda2a3
SHA1:	57e491574060e80980245aa6ecbed6a0c94a7c17
SHA256:	21d8ae198ce38d26ef956902c8b3a48e38eaf3c7c0a9e511168235dbb1ebf493
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

Renci.SshNet.Tests.exe (PID: 4636 cmdline: "C:\Users\user\Desktop\Renci.SshNet.Tests.exe" MD5: 179ED06C51E66ECCCC16B76016FDA2A3)

conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 6636 cmdline: C:\Windows\system32\WerFault.exe -u -p 4636 -s 728 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Renci.SshNet.Tests.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Renci.SshNet.Tests.exe

Virustotal: Detection: 21%

Perma Link

Source: Renci.SshNet.Tests.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb& source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdb source: Renci.SshNet.Tests.exe
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: kernel32.pdb source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: gdi32full.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb0 source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.306167041.00000218BCB47000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb+ source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: kernelbase.pdb0 source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb0 source: WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdbSHA256 source: Renci.SshNet.Tests.exe
Source:	Binary string: Renci.SshNet.Tests.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: version.pdb8 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb2 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb0 source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb11 source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb0 source: WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source:	Binary string: win32u.pdb, source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: user32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: Renci.SshNet.Tests.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WERC69.tmp.dmp.5.dr
Source:	Binary string: kernel32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: Renci.SshNet.Tests.pdbD source: WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb0 source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp

Source: WerFault.exe, 00000005.00000003.317148597.00000218BA9B4000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.318351591.00000218BA9B4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000005.00000002.318543207.00000218BC80E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Renci.SshNet.Tests.exe	String found in binary or memory: http://www.google.com/
Source: Renci.SshNet.Tests.exe	String found in binary or memory: http://www.google.com/3Starting
Source: Renci.SshNet.Tests.exe	String found in binary or memory: https://tools.ietf.org/html/rfc4253#sec
Source: Renci.SshNet.Tests.exe	String found in binary or memory: https://tools.ietf.org/html/rfc4253#sectio
Source: Renci.SshNet.Tests.exe	String found in binary or memory: https://tools.ietf.org/html/rfc4253#section-4.2

Source: Renci.SshNet.Tests.exe, 00000000.00000002.319623439.0000000000ED0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRenci.SshNet.Tests.dllF vs Renci.SshNet.Tests.exe
Source: Renci.SshNet.Tests.exe, 00000000.00000000.299791553.0000000001379000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Renci.SshNet.Tests.exe
Source: Renci.SshNet.Tests.exe	Binary or memory string: OriginalFilenameRenci.SshNet.Tests.dllF vs Renci.SshNet.Tests.exe

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4636 -s 728

Source: Renci.SshNet.Tests.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: Renci.SshNet.Tests.exe

Virustotal: Detection: 21%

Source: Renci.SshNet.Tests.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Renci.SshNet.Tests.exe "C:\Users\user\Desktop\Renci.SshNet.Tests.exe"
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4636 -s 728

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4636

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC69.tmp

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@3/6@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Renci.SshNet.Tests.exe

Static file information: File size 1233920 > 1048576

Source: Renci.SshNet.Tests.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Renci.SshNet.Tests.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Renci.SshNet.Tests.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12ca00

Source: Renci.SshNet.Tests.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Renci.SshNet.Tests.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb& source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdb source: Renci.SshNet.Tests.exe
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: kernel32.pdb source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: gdi32full.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb0 source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.306167041.00000218BCB47000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb+ source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: kernelbase.pdb0 source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb0 source: WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\sandip.bhadane\Downloads\SSH.NET.FIPS-2020.0.1\SSH.NET.FIPS-2020.0.1\src\Renci.SshNet.Tests\obj\Debug\netcoreapp2.1\Renci.SshNet.Tests.pdbSHA256 source: Renci.SshNet.Tests.exe
Source:	Binary string: Renci.SshNet.Tests.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: version.pdb8 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb2 source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb0 source: WerFault.exe, 00000005.00000003.304982946.00000218BC757000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305828123.00000218BC757000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb11 source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb0 source: WerFault.exe, 00000005.00000003.305177569.00000218BC7D9000.00000004.00000001.sdmp
Source:	Binary string: win32u.pdb, source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: user32.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.309315927.00000218BD2F0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.309228587.00000218BD301000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309155476.00000218BD300000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp, WERC69.tmp.dmp.5.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.309344213.00000218BD2F9000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.305541009.00000218BC787000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.309332114.00000218BD2F7000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 00000005.00000003.306212907.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304974261.00000218BC751000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: Renci.SshNet.Tests.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WERC69.tmp.dmp.5.dr
Source:	Binary string: kernel32.pdb8 source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: Renci.SshNet.Tests.pdbD source: WerFault.exe, 00000005.00000003.308336194.00000218BD450000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb source: WerFault.exe, 00000005.00000003.305012014.00000218BC763000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.309064429.00000218BD2F1000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb0 source: WerFault.exe, 00000005.00000003.306013033.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.305840906.00000218BC75D000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.304997596.00000218BC75D000.00000004.00000001.sdmp

Source: Renci.SshNet.Tests.exe

Static PE information: 0xA2E625E9 [Tue Aug 8 20:26:17 2056 UTC]

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000005.00000002.318473286.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316961527.00000218BC7C8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW4OT
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.318473286.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316961527.00000218BC7C8000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.316977470.00000218BC7DF000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.318509417.00000218BC7E8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Renci.SshNet.Tests.exe, 00000000.00000000.300978369.0000000001B40000.00000002.00020000.sdmp, Renci.SshNet.Tests.exe, 00000000.00000000.300049069.0000000001B40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

Queries volume information: C:\Users\user\Desktop\Renci.SshNet.Tests.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Renci.SshNet.Tests.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery21	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Renci.SshNet.Tests.exe	21%	Virustotal		Browse
Renci.SshNet.Tests.exe	100%	Avira	HEUR/AGEN.1143520

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.Renci.SshNet.Tests.exe.da0000.2.unpack	100%	Avira	HEUR/AGEN.1143520	Download File
0.0.Renci.SshNet.Tests.exe.da0000.1.unpack	100%	Avira	HEUR/AGEN.1143520	Download File
0.2.Renci.SshNet.Tests.exe.da0000.0.unpack	100%	Avira	HEUR/AGEN.1143520	Download File
0.0.Renci.SshNet.Tests.exe.da0000.0.unpack	100%	Avira	HEUR/AGEN.1143520	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://www.google.com/3Starting	Renci.SshNet.Tests.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
https://tools.ietf.org/html/rfc4253#section-4.2	Renci.SshNet.Tests.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	WerFault.exe, 00000005.00000002.318543207.00000218BC80E000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://upx.sf.net	Amcache.hve.5.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
https://tools.ietf.org/html/rfc4253#sec	Renci.SshNet.Tests.exe	false	high
https://tools.ietf.org/html/rfc4253#sectio	Renci.SshNet.Tests.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000005.00000003.308023927.00000218BD490000.00000004.00000001.sdmp	false	high
http://www.google.com/	Renci.SshNet.Tests.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	554109
Start date:	17.01.2022
Start time:	09:19:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Renci.SshNet.Tests.dll (renamed file extension from dll to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winEXE@3/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 90.6% (good quality ratio 90.6%) Quality average: 75.6% Quality standard deviation: 10.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.20 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Execution Graph export aborted for target Renci.SshNet.Tests.exe, PID 4636 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:20:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Renci.SshNet.Tes_eddc796223d0a31a9bec2598964dbb2f130f886_43f7664c_19031ff1\Report.wer Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8458961382156898
Encrypted:	false
SSDEEP:	96:8nF1/e1XdEUgkkzxDi5TzpXIQcQ1c6mcEMcw3K+BHUHZ0ownOgFkEwk6aOEXCkO1:6Xe1Xdru4HbiGJa15/u7sBS274lt6p
MD5:	862E4A70177590A65F5B9CDD92840B22
SHA1:	2C3820B8D1819EF8B6795193553AD54D693AB2CA
SHA-256:	8200E392FCDE54F284C8D848CB230F199182A3639DF68E381F5C514C48ABBB9C
SHA-512:	572A9172A8BA33E18D4045CE0E23ECB405A014271935D6A5C01D1EBDFA87DF7FA5F4376FD80FD5E4A7A76E3652A70E708D8A12DF750DFAFD1814A45F7EA46A58
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.9.1.3.6.1.4.0.3.2.2.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.9.1.3.6.1.7.5.7.9.0.8.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.5.1.3.e.1.2.-.c.5.8.0.-.4.d.4.3.-.b.1.7.e.-.d.1.e.4.6.3.4.d.e.1.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.8.3.2.9.f.0.-.0.f.2.a.-.4.0.e.5.-.9.a.d.d.-.5.5.6.7.2.8.2.c.d.d.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.e.n.c.i...S.s.h.N.e.t...T.e.s.t.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.n.c.i...S.s.h.N.e.t...T.e.s.t.s...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.1.c.-.0.0.0.1.-.0.0.1.c.-.9.5.6.e.-.e.8.7.9.c.6.0.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.b.2.c.3.e.b.0.0.3.8.5.5.7.3.b.8.e.9.0.0.0.1.0.9.b.d.4.5.2.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.5.7.e.4.9.1.5.7.4.0.6.0.e.8.0.9.8.0.2.4.5.a.a.6.e.c.b.e.d.6.a.0.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12A4.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8766
Entropy (8bit):	3.7062994674190435
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNif0z6YFk0qUGhgmfLY4aSUCprRH89bHysfVXtm:RrlsNicz6Ym0qU+gmfLY4aS1YHZfW
MD5:	7C0D96CD6DEFB8D29D8D4A55FCA61495
SHA1:	FA46CB4B4C32EF4061DF0EFB04807399DAD5DA25
SHA-256:	DF6DE302DC054EB62E2DD462BBC75A465B658362F5C5D70E9D1087FBCABE54EF
SHA-512:	39E69FF449E3605364B793D3C15BABD3A3CFDE17CBB8E372DBC7BFBC4FA4ADE580A86FEBDD62C8E55C3A5910DAEA9A60A5F8A6143C747EB05CD3B6D8BE24E2D2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER146A.tmp.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4749
Entropy (8bit):	4.501797831808934
Encrypted:	false
SSDEEP:	48:cvIwSD8zsKJgtBI9HsTDSWSC8BfM8fm8M4J5NFvyq853Ad9kdhZd:uITfY1sTnSNZxJxjTkdhZd
MD5:	7EC5E7A9FE812E0F6CDCA73776EB4DEE
SHA1:	75CEB2F2455C7AA16A6705635F153440414AF63F
SHA-256:	A10E9E69DB2D21821A596C933AD11609C07F9613F2C86A5D48242032EC40489A
SHA-512:	2D9CB385686F8BF50E6ED40BBB18DB365ECE7B9C1278A4EA5C819C5A08F8F3F0E53BE5834866D40087379206DF3CD3EE7FFCCBE11E5D4E718095856AD630FC36
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1346550" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC69.tmp.dmp Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Jan 17 17:20:14 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	196339
Entropy (8bit):	2.4719933963374956
Encrypted:	false
SSDEEP:	768:kUhXj98NlvBTHiEDgVjnx9ysZ7EYIfY73rt1zSmwZkPdZpWsc1emFvxibhWrxq:k/BmFT9y+LwYTB12PZkl9c1robqxq
MD5:	D3A53059CBCE06F84034DC8FB28600CD
SHA1:	CD4DC93FC7FA7E601EE24E0733D5CDE71BE701C8
SHA-256:	7ADB523604498FF146AAE0D6CB6DC40120E94E4707C89B1D9023A041373DF944
SHA-512:	3D5AA920D7D372BD16DBAF9412378D3598B576A737E0067C477CA545122FF28BA2E4C4336ABB765FAEA2E5B31E5930185BAE59E40CD834FFF733D48444505E12
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......N..a............$...............D.......$...\.......L...........d....>..........l.......8...........T............................................................................................................U...........B......P.......Lw......................T...........H..a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.270405091262286
Encrypted:	false
SSDEEP:	12288:7wD0Th312ap8TSP5ve7dcb5GMtzr8VxmoKwPjMQ2ZlPfq+kwX2jeL:UD0Th312ap8TSPd5
MD5:	2FEFA8E0AD74A260F76D6A6A1E02773B
SHA1:	526CA28241061955A6B1F0B8FE229A0781F8C7E6
SHA-256:	D84CE9CC27DCE21B8631760027E2153772FE5A1B99BC6CA86F9B57ADE7400439
SHA-512:	83385C2685FB242AF1149DC440EA74AA6263768E7288E9FC1F3ED4658D21244DB0E1D87449374BE3447D6EA1E2A776E56D2FA3A600957CC6442A6F8F76D889A8
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...\|................................................................................................................................................................................................................................................................................................................................................,.t!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv Download File
Process:	C:\Users\user\Desktop\Renci.SshNet.Tests.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.879694892075436
Encrypted:	false
SSDEEP:	6:WsTbZqbbUcfvfAQDLyQ12MUAvv3XBJpQWoJPr:2HfvfBDLyPMbrQ1T
MD5:	968267B112A18CDB20F47CC91936B052
SHA1:	982AB14C1FEDF39D26FEC7BDA79EA06070CA347D
SHA-256:	5B876909EC9F4421DC4EF07E9C131A90EE661E4C940DA295648C255BCD8BAF1E
SHA-512:	B16BF16C70C05BEF396190EB3B1A148758BB2DFE5679F59A979B638A285D080D334D99A38BA0F5BE791FE900B96D115D59ABFD4AF24683D7B9980C3E618C8F80
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=4.2.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified..

Static File Info

General
File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.752941368597111
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Renci.SshNet.Tests.exe
File size:	1233920
MD5:	179ed06c51e66ecccc16b76016fda2a3
SHA1:	57e491574060e80980245aa6ecbed6a0c94a7c17
SHA256:	21d8ae198ce38d26ef956902c8b3a48e38eaf3c7c0a9e511168235dbb1ebf493
SHA512:	7f62afb37387be7a4ef451006311ea0f5fd26d391fec0602f6c352cc1bf7de1f57c7fbc4ae12050ee9163c6804478c204203c972cff449f83831609417f7bde2
SSDEEP:	12288:+C8y3muQI2u+QwqTXlb/Q6PFzpbuk1bSlvhId8//ffL+xxwKM:+0bVbukpSlC+//ffaxxwK
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%............"...0.................. ........@.. .......................@......Q.....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x52cfa2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xA2E625E9 [Tue Aug 8 20:26:17 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12cf4f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x130000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12ce28	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x12c850	0x12ca00	False	0.232697992464	data	5.75606400964	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x130000	0x5b4	0x600	False	0.40234375	data	4.07012289885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x130090	0x324	data
RT_MANIFEST	0x1303c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.0.0
InternalName	Renci.SshNet.Tests.dll
FileVersion	1.0.0.0
CompanyName	Renci.SshNet.Tests
ProductName	Renci.SshNet.Tests
ProductVersion	1.0.0
FileDescription	Renci.SshNet.Tests
OriginalFilename	Renci.SshNet.Tests.dll

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• Renci.SshNet.Tests.exe
• conhost.exe
• WerFault.exe

Click to jump to process

Memory Usage

• Renci.SshNet.Tests.exe
• conhost.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• Renci.SshNet.Tests.exe
• conhost.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: Renci.SshNet.Tests.exe PID: 4636 Parent PID: 2932

Function Logs

General

Start time:	09:20:08
Start date:	17/01/2022
Path:	C:\Users\user\Desktop\Renci.SshNet.Tests.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Renci.SshNet.Tests.exe"
Imagebase:	0xda0000
File size:	1233920 bytes
MD5 hash:	179ED06C51E66ECCCC16B76016FDA2A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

System Information Queried

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 5976 Parent PID: 4636

Function Logs

General

Start time:	09:20:08
Start date:	17/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: WerFault.exe PID: 6636 Parent PID: 4636

Function Logs

General

Start time:	09:20:12
Start date:	17/01/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4636 -s 728
Imagebase:	0x7ff7a47d0000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Modified

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Set

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Renci.SshNet.Tests.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Renci.SshNet.Tests.exe PID: 4636 Parent PID: 2932

General

File Activities

File Opened

File Created

File Written

File Read