Windows Analysis Report
cambridge.shareholdersuite.exe

ID:	800790
Product:	CloudBasic
Start time:	19:53:29
Start date:	07.02.2023
Sample:	cambridge.shareholdersuite.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Architecture:	WINDOWS
MD5:	36a2a6c6f6ba38708f501acce1176f1c
SHA1:	b5dbb9cef3950df5ad736367fc402f4a2cd8f741
SHA256:	d7e7a93d26422463c14fe026463ba369fd02e538df3fc379007135fe8a301b41
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cambridge.shareh_b0b1b6854f979e9e27d3f079aaadcb4db67090f2_dd0f84fe_82132d7a-9be1-4710-9e0b-377f233cb68f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3E2D5B3851F33FFF32AEA5C7B4FDEECF	6770424C9C5627FC61E0086EEAE01BE40029EF4B	1CCB3014B0CA0A72A27BAEA4AD8126258261DDDF7534ECCBE9713463A31B857D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FA.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Feb 7 18:54:09 2023, 0x1205a4 type	FF6F1E3F19AB71C225CB991B994C34FF	CADB4FA29C4547F6445DD3D3698DC52932AEBADA	F458B18533869EEBE844961F764D7D82A35C659F7D62D42D91D1B035A58D1A86
C:\ProgramData\Microsoft\Windows\WER\Temp\WER76EF.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	686092FE4DB868C06EC2A0CF1D2AC552	D0433D72A2204683C7AFCB5FD7D97B240B5AA25D	A88AD7AAD3167A33C4601CD3DC7B8492554F6D86DB9DA6BA72CCDBE902B1E432
C:\ProgramData\Microsoft\Windows\WER\Temp\WER775D.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A917353E79A3B717A88486AB951C8EAA	CA16B3F8592E8AC1BAE88DD8DF42D7D4342F5D00	B989E34C7966D2199B681E144F2190F6EF7A154178A9DFA4FA9E6533A9EDE3FD
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	73A7039D1DE2708FC35819C74B2DCA20	77C00358A95635CDE1761C33C50A01BE65D516AE	1A270B345777385671F6C5E3AD8EE8CA6D63BD153593DCAE22CC1B311F896FFD
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	8B30E7D9B14A6B1FE6EBED54579E7FEA	741FA3DFEA4095BB53B875252394DAE1896C8DEA	9EE6F4B955826247F14429E7A165D8B15A2C4296FFD64246CD985D51632773AE

Compliance

Source: cambridge.shareholdersuite.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: cambridge.shareholdersuite.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Source: cambridge.shareholdersuite.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 808

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

File read: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER74FA.tmp

Source: cambridge.shareholdersuite.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: cambridge.shareholdersuite.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bf92dcc11e428fd5adf02632b5d4414f\mscorlib.ni.dll

Source: classification engine

Classification label: clean2.winEXE@2/6@0/10

Source: unknown	Process created: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 808

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6440

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: cambridge.shareholdersuite.exe

Static file information: File size 16980992 > 1048576

Source: cambridge.shareholdersuite.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: cambridge.shareholdersuite.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: cambridge.shareholdersuite.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1018600

Source: cambridge.shareholdersuite.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: cambridge.shareholdersuite.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Anti Debugging

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process queried: DebugPort
Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Process queried: DebugPort

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe

Memory allocated: page read and write | page guard

Language, Device and Operating System Detection

Source: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe	Queries volume information: C:\Users\alfredo\Desktop\cambridge.shareholdersuite.exe VolumeInformation
Source: C:\Windows\SysWOW64\WerFault.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\WER\Temp VolumeInformation
Source: C:\Windows\SysWOW64\WerFault.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_cambridge.shareh_b0b1b6854f979e9e27d3f079aaadcb4db67090f2_dd0f84fe_82132d7a-9be1-4710-9e0b-377f233cb68f\Report.wer VolumeInformation