Windows Analysis Report
olPUTAxpzu.exe

Overview

General Information

Sample Name:	olPUTAxpzu.exe
Analysis ID:	612097
MD5:	8a0e3e9d2d00b456539face1b95f5e49
SHA1:	a3e08ca002b4046da36c1d05f079db9ccba567ff
SHA256:	1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
Tags:	32exetrojan
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Tries to detect sandboxes and other dynamic analysis tools (window names)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Machine Learning detection for sample

PE file contains section with special chars

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

Checks if the current process is being debugged

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: olPUTAxpzu.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: olPUTAxpzu.exe	Virustotal: Detection: 50%			Perma Link
Source: olPUTAxpzu.exe	ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: olPUTAxpzu.exe

Joe Sandbox ML: detected

Source:	Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.pdbT source: WER7448.tmp.dmp.7.dr
Source:	Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: [ .pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: (Psf8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.291324703.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.313020359.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275874108.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.314558433.00000000016EA000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.292688684.00000000016EA000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER7448.tmp.dmp.7.dr

Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/login.baml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bhicon.png
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: olPUTAxpzu.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: olPUTAxpzu.exe	String found in binary or memory: http://s.symcd.com06
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Driver/Driver1.8_x64.sys
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Online/get_online_users.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Online/set_online_status.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/info/cheat_status.php?hack_id=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/notification.txt
Source: olPUTAxpzu.exe	String found in binary or memory: https://brutal-hax.net/
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: olPUTAxpzu.exe	String found in binary or memory: https://discord.gg/brutal-hax
Source: olPUTAxpzu.exe	String found in binary or memory: https://help.ea.com/en/help/faq/how-to-clean-boot-your-pc/

System Summary

PE file contains section with special chars

Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:

Sample file is different than original file name gathered from version info

Source: olPUTAxpzu.exe, 00000000.00000000.277455806.00000000016C0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exe, 00000000.00000000.292666429.00000000016E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exe	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe

One or more processes crash

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

PE file contains strange resources

Source: olPUTAxpzu.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: olPUTAxpzu.exe	Static PE information: Section: ZLIB complexity 0.997523986382
Source: olPUTAxpzu.exe	Static PE information: Section: ZLIB complexity 1.53333333333

Source: olPUTAxpzu.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: olPUTAxpzu.exe	Virustotal: Detection: 50%
Source: olPUTAxpzu.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\olPUTAxpzu.exe "C:\Users\user\Desktop\olPUTAxpzu.exe"
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280	Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7448.tmp

Jump to behavior

Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=

Source: classification engine

Classification label: mal80.evad.winEXE@5/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: olPUTAxpzu.exe

Static file information: File size 9184276 > 1048576

Source: olPUTAxpzu.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x58b200
Source: olPUTAxpzu.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x313400

Source:	Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.pdbT source: WER7448.tmp.dmp.7.dr
Source:	Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: [ .pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: (Psf8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.291324703.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.313020359.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275874108.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.314558433.00000000016EA000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.292688684.00000000016EA000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER7448.tmp.dmp.7.dr

PE file contains an invalid checksum

Source: olPUTAxpzu.exe

Static PE information: real checksum: 0x8c502e should be: 0x8c35cf

PE file contains sections with non-standard names

Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name: .imports
Source: olPUTAxpzu.exe	Static PE information: section name: .themida
Source: olPUTAxpzu.exe	Static PE information: section name: .boot
Source: olPUTAxpzu.exe	Static PE information: section name: .taggant

Binary contains a suspicious time stamp

Source: olPUTAxpzu.exe

Static PE information: 0xA8C7FB17 [Thu Sep 25 01:17:11 2059 UTC]

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: initial sample

Static PE information: section name: .taggant entropy: 6.83505846314

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: olPUTAxpzu.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: olPUTAxpzu.exe	Virustotal: Detection: 50%			Perma Link
Source: olPUTAxpzu.exe	ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: olPUTAxpzu.exe

Joe Sandbox ML: detected

Source:	Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.pdbT source: WER7448.tmp.dmp.7.dr
Source:	Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: [ .pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: (Psf8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.291324703.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.313020359.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275874108.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.314558433.00000000016EA000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.292688684.00000000016EA000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER7448.tmp.dmp.7.dr

Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Login.xaml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/bhicon.png
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/login.baml
Source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bhicon.png
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_d409a5cb737dc0768fd08ed5256f3633/LatestCRL.crl07
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: olPUTAxpzu.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: olPUTAxpzu.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: olPUTAxpzu.exe	String found in binary or memory: http://s.symcd.com06
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: olPUTAxpzu.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Driver/Driver1.8_x64.sys
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Online/get_online_users.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/Online/set_online_status.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/info/cheat_status.php?hack_id=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/notification.txt
Source: olPUTAxpzu.exe	String found in binary or memory: https://brutal-hax.net/
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: olPUTAxpzu.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: olPUTAxpzu.exe	String found in binary or memory: https://discord.gg/brutal-hax
Source: olPUTAxpzu.exe	String found in binary or memory: https://help.ea.com/en/help/faq/how-to-clean-boot-your-pc/

System Summary

PE file contains section with special chars

Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:

Sample file is different than original file name gathered from version info

Source: olPUTAxpzu.exe, 00000000.00000000.277455806.00000000016C0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exe, 00000000.00000000.292666429.00000000016E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe
Source: olPUTAxpzu.exe	Binary or memory string: OriginalFilenameBHLoaderNew.exe8 vs olPUTAxpzu.exe

One or more processes crash

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

PE file contains strange resources

Source: olPUTAxpzu.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: olPUTAxpzu.exe	Static PE information: Section: ZLIB complexity 0.997523986382
Source: olPUTAxpzu.exe	Static PE information: Section: ZLIB complexity 1.53333333333

Source: olPUTAxpzu.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: olPUTAxpzu.exe	Virustotal: Detection: 50%
Source: olPUTAxpzu.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\olPUTAxpzu.exe "C:\Users\user\Desktop\olPUTAxpzu.exe"
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280	Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7448.tmp

Jump to behavior

Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_statut_new.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_authentification_new.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_version.php
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_get_cheats.php?username=
Source: olPUTAxpzu.exe	String found in binary or memory: https://api.brutal-hax.net/loader_cheat_info_ex.php?index=

Source: classification engine

Classification label: mal80.evad.winEXE@5/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: olPUTAxpzu.exe

Static file information: File size 9184276 > 1048576

Source: olPUTAxpzu.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x58b200
Source: olPUTAxpzu.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x313400

Source:	Binary string: PresentationFramework.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.pdbT source: WER7448.tmp.dmp.7.dr
Source:	Binary string: sBase.pdbX source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: [ .pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: WindowsBase.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: (Psf8C:\Windows\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xml.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: symbols\dll\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: PresentationFramework.ni.pdbRSDS~J source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.291324703.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.313020359.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275874108.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.ni.pdbRSDS\| source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Xaml.pdb source: olPUTAxpzu.exe, 00000000.00000002.318900716.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.295892013.0000000003BA1000.00000004.00000800.00020000.00000000.sdmp, WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.ni.pdbRSDSl source: WER7448.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.Aero2.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: WindowsBase.pdbwsBase.pdbpdbase.pdbSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.pdb source: olPUTAxpzu.exe, 00000000.00000002.312077698.0000000000938000.00000004.00000010.00020000.00000000.sdmp, olPUTAxpzu.exe, 00000000.00000000.275456598.0000000000938000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: olPUTAxpzu.exe, 00000000.00000002.314558433.00000000016EA000.00000040.00000001.01000000.00000003.sdmp, olPUTAxpzu.exe, 00000000.00000000.292688684.00000000016EA000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationFramework.ni.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: PresentationCore.pdb source: WER7448.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER7448.tmp.dmp.7.dr

PE file contains an invalid checksum

Source: olPUTAxpzu.exe

Static PE information: real checksum: 0x8c502e should be: 0x8c35cf

PE file contains sections with non-standard names

Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name:
Source: olPUTAxpzu.exe	Static PE information: section name: .imports
Source: olPUTAxpzu.exe	Static PE information: section name: .themida
Source: olPUTAxpzu.exe	Static PE information: section name: .boot
Source: olPUTAxpzu.exe	Static PE information: section name: .taggant

Binary contains a suspicious time stamp

Source: olPUTAxpzu.exe

Static PE information: 0xA8C7FB17 [Thu Sep 25 01:17:11 2059 UTC]

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: initial sample

Static PE information: section name: .taggant entropy: 6.83505846314

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\olPUTAxpzu.exe	Process queried: DebugPort	Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1280

Jump to behavior

Source: C:\Users\user\Desktop\olPUTAxpzu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	612097
Product:	CloudBasic
Start time:	15:15:33
Start date:	20.04.2022
Sample:	olPUTAxpzu.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8a0e3e9d2d00b456539face1b95f5e49
SHA1:	a3e08ca002b4046da36c1d05f079db9ccba567ff
SHA256:	1e9a3a5e2e8da03cb6949e0aa8c169c3e095a7144ac74d87a74450faa83f027d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_olPUTAxpzu.exe_e22b91f83659b5e64951010ad9cc6d1b32c47_5da1df81_19ca88f8\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	BD6685535B5226C37AAD3732C658DFF1	32D804218D5B61C65B15B80C9B53F0F8F56CACCB	7D2F4BA8B171830ABC25A2DDBEB8789135FC83D094E06F46E3A58891FA0A1918
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7448.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Apr 20 13:17:08 2022, 0x1205a4 type	634D852419BA16B587083BE0F5A77F27	F1A09C4673B8A10AC4BF54BF0B30867F8E6E31E0	1A640D47B226F126DED3166CC1C23E0D42DB12C2F52C647871EA809DB896B42A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E6A.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D947C4596F2FF26F9DB53BE24073E6A7	921C3C08B670571B86121FBF373424A8A0E24F65	C72A231B106234AB7F86E14CB570D42D4041729B83C1CB451926E9493EC8549E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8030.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3E89A887DF247E266DC4974299D088B6	DA5FE60EBE91C1DB1AB3C03AE795FFA382EED3DC	81780725A73520AE2862ACBFC6279236133172A2F7A45A74A6B96B0EC895E6FE

Windows Analysis Report
olPUTAxpzu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report olPUTAxpzu.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
olPUTAxpzu.exe