Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name:	Ou0ZT4968y.exe
Analysis ID:	753418
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags:	32exetrojan
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Allocates memory in foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Injects a PE file into a foreign processes

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Perma Link

Uses 32bit PE files

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx

Uses 32bit PE files

Source: Ou0ZT4968y.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

One or more processes crash

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192

Detected potential crypto function

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2414	0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B510A	0_2_009B510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B35CB	0_2_009B35CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B510F	0_2_009B510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1E2E	0_2_009B1E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2270	0_2_009B2270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B33A5	0_2_009B33A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B278E	0_2_009B278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B5ECF	0_2_009B5ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B5F74	0_2_009B5F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_00A31D69	0_2_00A31D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1E1A	0_2_009B1E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1A73	0_2_009B1A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1154	0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1154	0_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2DBA	0_2_009B2DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B3378	0_2_009B3378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4C0F	0_2_009B4C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B13AC	0_2_009B13AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B25A4	0_2_009B25A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2EA0	0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4462	0_2_009B4462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2EA0	0_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2414	0_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2838	0_2_009B2838

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B2F36 appears 93 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B21BC appears 45 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 009B4FC0 appears 70 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: String function: 00A2BD8D appears 31 times

Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0

Source: Ou0ZT4968y.exe

Virustotal: Detection: 34%

Source: Ou0ZT4968y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.spyw.evad.winEXE@5/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Ou0ZT4968y.exe

Static file information: File size 3838464 > 1048576

Source: Ou0ZT4968y.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000

Source: Ou0ZT4968y.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Ou0ZT4968y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B2158 push ecx; ret		0_2_009E86D3
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009E71C7 push ecx; ret		0_2_009E71DA

PE file contains sections with non-standard names

Source: Ou0ZT4968y.exe

Static PE information: section name: .00cfg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

0_2_009C0C7A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

API coverage: 3.6 %

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009B384B

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B302B mov eax, dword ptr fs:[00000030h]	0_2_009B302B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B4827 mov eax, dword ptr fs:[00000030h]	0_2_009B4827
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B1A64 mov eax, dword ptr fs:[00000030h]	0_2_009B1A64
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_00A22752 mov eax, dword ptr fs:[00000030h]	0_2_00A22752

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,

0_2_009C0C7A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009B5D94 GetProcessHeap,

0_2_009B5D94

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009C0375 LdrInitializeThunk,

0_2_009C0375

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009B384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: 0_2_009B579A SetUnhandledExceptionFilter,		0_2_009B579A

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000			Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4955008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,	0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoW,	0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetLocaleInfoEx,	0_2_009E6A66
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_009B3431
Source: C:\Users\user\Desktop\Ou0ZT4968y.exe	Code function: EnumSystemLocalesW,	0_2_00A2B629

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009E86D9 cpuid

0_2_009E86D9

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_00A34A53 GetTimeZoneInformation,

0_2_00A34A53

Source: C:\Users\user\Desktop\Ou0ZT4968y.exe

Code function: 0_2_009E8204 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009E8204

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	753418
Product:	CloudBasic
Start time:	19:53:06
Start date:	24.11.2022
Sample:	Ou0ZT4968y.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	27b75158dcfeba6b3419bdbb15397584
SHA1:	8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:	a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_c69ec5e350e75532f4a4b55ffe3a71c9ab2f95_dac8cab9_132de5cf\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7AC4342A1B85811ABAC24B76E45FE49A	A8499CB46EECF8D8AC21AFDA6BE18035E241CB90	8DCCCA9025CAD3C72E81F4F21E14D53A4E166B49F3888234D9447B8781ED2894
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Nov 24 18:54:14 2022, 0x1205a4 type	D6CBDA626C8A5B9F30BF23C4A5174EAB	95C4B8E3290F8694C9FC7CC7A5501DB590A21579	08521C7778E80CF397D6E9639DB800C4E9FDDC844263BAC6FC2418CC22A5F2EA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD28.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	676E041CAED641FAA1D9F752A56D126D	799474AEAB27404D44C101393561B0C9BAED70BD	C12A11E890F3AA61D532339AA79B37EF7A9B5BAE586B5063016AFB6E316466DA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	FEF898BE98C3553564C2770855DD739C	32FEDBF10134E4B676D72E4784B9D59A8F275569	18164DF80E19CD9DFDC743A86945DE336F3C0032E3BC1B5E745021462E87002D
\Device\ConDrv	ASCII text, with no line terminators	3C59DC048E8850243BE8079A5C74D079	472B07B9FCF2C2451E8781E944BF5F77CD8457C8	6F4B6612125FB3A0DAECD2799DFD6C9C299424FD920F9B308110A2C1FBD8F443

Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Ou0ZT4968y.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Ou0ZT4968y.exe