IOC Report
Ou0ZT4968y.exe

loading gif

Files

File Path
Type
Category
Malicious
Ou0ZT4968y.exe
PE32 executable (console) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_c69ec5e350e75532f4a4b55ffe3a71c9ab2f95_dac8cab9_132de5cf\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ou0ZT4968y.exe_6d94c01abebf2aab25e322aa91a877df2b8acdd6_dac8cab9_0497fefa\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Nov 24 18:54:14 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD28.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDC5.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
\Device\ConDrv
ASCII text, with no line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFF8.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Nov 25 03:47:14 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1AF.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE24C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Ou0ZT4968y.exe
C:\Users\user\Desktop\Ou0ZT4968y.exe
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 144

URLs

Name
IP
Malicious
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
unknown
https://gcc.gnu.org/bugs/):
unknown
https://sectigo.com/CPS0
unknown
https://studio.youtube.comSAPISIDHASH
unknown
https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
unknown
http://ocsp.sectigo.com0
unknown
https://studio.youtube.com
unknown
https://studio.youtube.com/reauth
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
ProgramId
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
FileId
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
LowerCaseLongPath
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
LongPathHash
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
Name
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
Publisher
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
Version
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
BinFileVersion
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
BinaryType
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
ProductName
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
ProductVersion
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
LinkDate
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
BinProductVersion
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
Size
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
Language
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
IsPeFile
\REGISTRY\A\{31b051f3-a409-8ac3-1822-529041218f7e}\Root\InventoryApplicationFile\ou0zt4968y.exe|86d131a8
IsOsComponent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
00184006417502B9
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
ProgramId
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
FileId
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
LowerCaseLongPath
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
LongPathHash
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
Name
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
Publisher
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
Version
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
BinFileVersion
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
BinaryType
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
ProductName
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
ProductVersion
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
LinkDate
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
BinProductVersion
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
Size
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
Language
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
IsPeFile
\REGISTRY\A\{1e530eef-2f4b-2fce-1bd8-0875db519f52}\Root\InventoryApplicationFile\ou0zt4968y.exe|6912c8ab
IsOsComponent
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
00184009DD6AB7DA
There are 32 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
1140000
trusted library allocation
page read and write
8FA96FA000
stack
page read and write
1250000
remote allocation
page read and write
CD3000
unkown
page execute and read and write
1170000
heap
page read and write
4C5F000
remote allocation
page read and write
1E8FBA70000
heap
page read and write
4E9B000
trusted library allocation
page read and write
1E8FC750000
trusted library allocation
page read and write
8FA97FE000
stack
page read and write
163F000
direct allocation
page execute and read and write
CD3000
unkown
page execute and read and write
1E8FBB3D000
heap
page read and write
1300000
heap
page read and write
23C21902000
trusted library allocation
page read and write
D80000
heap
page read and write
1140000
trusted library allocation
page read and write
1300000
heap
page read and write
1E8FBB3A000
heap
page read and write
CD3000
unkown
page execute and read and write
23C21770000
trusted library allocation
page read and write
8FA98F9000
stack
page read and write
A6A000
unkown
page read and write
1E8FBB5E000
heap
page read and write
D4F000
unkown
page read and write
D80000
unkown
page read and write
4E36000
heap
page read and write
D4F000
unkown
page read and write
9B1000
unkown
page execute read
1663000
direct allocation
page execute and read and write
4E70000
heap
page read and write
1E8FBB39000
heap
page read and write
1E8FC9D0000
trusted library allocation
page read and write
1400000
direct allocation
page execute and read and write
1E8FC9A0000
trusted library allocation
page read and write
23C21D00000
heap
page read and write
4E30000
heap
page read and write
4660000
trusted library allocation
page readonly
23C21915000
trusted library allocation
page read and write