Windows Analysis Report Unreal.exe

Overview

General Information

Sample Name:	Unreal.exe
Analysis ID:	1375
MD5:	35a93d1f2edc044b3d8289abfeb17a43
SHA1:	c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256:	88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: Unreal.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}

Multi AV Scanner detection for submitted file

Source: Unreal.exe	Virustotal: Detection: 41%			Perma Link
Source: Unreal.exe	ReversingLabs: Detection: 13%

Antivirus / Scanner detection for submitted sample

Source: Unreal.exe

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.Unreal.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.hrjdi

Compliance:

Uses 32bit PE files

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=dow

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8x-chromium-appcache-fallback-override: disallow-fallbackP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-zmJa6o19NNZGxnDADiVTMg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Mon, 27 Sep 2021 18:54:19 GMTExpires: Mon, 27 Sep 2021 18:54:19 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=ODlPQgXqu4fdjG6ZuHTs0XNElZYDpXm1vg6AmQltuVvHl0JsiakjSgV63pH6LJnzsT27OHd1ZwOj3TF0GiES08RkNtz9RFmZ-4zBpdXmGWfyTjPaYTA5Duyff1r4XtXVZBFi2lZx3mEw_9SnPrYs2NcLj3JlA4yzX0915aFt1IY; expires=Tue, 29-Mar-2022 18:54:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked

Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18566936937.0000000005899000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18561386183.0000000000503000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC&
Source: RegAsm.exe, 00000005.00000000.18421359517.0000000001320000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC2
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuCT(-

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: WerFault.exe, 00000013.00000003.18447513597.00000000050AD000.00000004.00000001.sdmp

Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

System Summary:

Uses 32bit PE files

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AFA0B	5_2_011AFA0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7996	5_2_011A7996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A000A	5_2_011A000A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7281	5_2_011A7281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE2B0	5_2_011AE2B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9AA7	5_2_011A9AA7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0AC4	5_2_011A0AC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9515	5_2_011A9515
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A95CB	5_2_011A95CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B	5_2_011A9E3B

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F NtAllocateVirtualMemory,LoadLibraryA,	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AF3D0 NtProtectVirtualMemory,	5_2_011AF3D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B NtAllocateVirtualMemory,	5_2_011A9E3B

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Unreal.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: Unreal.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Unreal.exe	Virustotal: Detection: 41%
Source: Unreal.exe	ReversingLabs: Detection: 13%

Source: Unreal.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Unreal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Unreal.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE28C8088C164734E.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/4@1/1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000000.18420827212.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.18430470714.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00406669 push ds; iretd	1_2_0040666C
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00404623 push esp; iretd	1_2_00404625
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_004064A6 push ebx; retf	1_2_004064B5
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_0040276E push ebx; iretd	1_2_00402771
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C440B9 push cs; ret	1_2_02C440BA
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C41BE3 push edx; ret	1_2_02C41C0F
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C405EB push ecx; ret	1_2_02C405F7
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C4476E pushad ; retf	1_2_02C44772
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2167 push DE1ECAFBh; retf DE1Eh	5_2_011A2176
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A1B33 push cs; iretd	5_2_011A1B34
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0B2A push FFFFFFDEh; iretd	5_2_011A0B2C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A3221 push esp; retf	5_2_011A3223
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A628C push ds; iretd	5_2_011A6293
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A5AED push eax; retf	5_2_011A5A8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2544 push ebp; retf	5_2_011A2546

Source: C:\Users\user\Desktop\Unreal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6996

Thread sleep time: -225000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Source: C:\Users\user\Desktop\Unreal.exe

System information queried: ModuleInformation

Jump to behavior

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.18560897644.0000000000428000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Unreal.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AD56C mov eax, dword ptr fs:[00000030h]	5_2_011AD56C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567 mov eax, dword ptr fs:[00000030h]	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9749 mov eax, dword ptr fs:[00000030h]	5_2_011A9749

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Unreal.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Unreal.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11A0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Unreal.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'

Jump to behavior

Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: ,Program Managersw
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Progman

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.142	drive.google.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.185.142	true

AV Detection:

Found malware configuration

Source: Unreal.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}

Multi AV Scanner detection for submitted file

Source: Unreal.exe	Virustotal: Detection: 41%			Perma Link
Source: Unreal.exe	ReversingLabs: Detection: 13%

Antivirus / Scanner detection for submitted sample

Source: Unreal.exe

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.0.Unreal.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.hrjdi

Compliance:

Uses 32bit PE files

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=dow

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18566936937.0000000005899000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18561386183.0000000000503000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC&
Source: RegAsm.exe, 00000005.00000000.18421359517.0000000001320000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC2
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuCT(-

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: WerFault.exe, 00000013.00000003.18447513597.00000000050AD000.00000004.00000001.sdmp

Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

System Summary:

Uses 32bit PE files

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AFA0B	5_2_011AFA0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7996	5_2_011A7996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A000A	5_2_011A000A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7281	5_2_011A7281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE2B0	5_2_011AE2B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9AA7	5_2_011A9AA7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0AC4	5_2_011A0AC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9515	5_2_011A9515
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A95CB	5_2_011A95CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B	5_2_011A9E3B

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F NtAllocateVirtualMemory,LoadLibraryA,	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AF3D0 NtProtectVirtualMemory,	5_2_011AF3D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B NtAllocateVirtualMemory,	5_2_011A9E3B

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Unreal.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: Unreal.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Unreal.exe	Virustotal: Detection: 41%
Source: Unreal.exe	ReversingLabs: Detection: 13%

Source: Unreal.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Unreal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Unreal.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE28C8088C164734E.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/4@1/1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000000.18420827212.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.18430470714.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00406669 push ds; iretd	1_2_0040666C
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00404623 push esp; iretd	1_2_00404625
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_004064A6 push ebx; retf	1_2_004064B5
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_0040276E push ebx; iretd	1_2_00402771
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C440B9 push cs; ret	1_2_02C440BA
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C41BE3 push edx; ret	1_2_02C41C0F
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C405EB push ecx; ret	1_2_02C405F7
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C4476E pushad ; retf	1_2_02C44772
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2167 push DE1ECAFBh; retf DE1Eh	5_2_011A2176
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A1B33 push cs; iretd	5_2_011A1B34
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0B2A push FFFFFFDEh; iretd	5_2_011A0B2C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A3221 push esp; retf	5_2_011A3223
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A628C push ds; iretd	5_2_011A6293
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A5AED push eax; retf	5_2_011A5A8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2544 push ebp; retf	5_2_011A2546

Source: C:\Users\user\Desktop\Unreal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6996

Thread sleep time: -225000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Source: C:\Users\user\Desktop\Unreal.exe

System information queried: ModuleInformation

Jump to behavior

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.18560897644.0000000000428000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Unreal.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AD56C mov eax, dword ptr fs:[00000030h]	5_2_011AD56C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567 mov eax, dword ptr fs:[00000030h]	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9749 mov eax, dword ptr fs:[00000030h]	5_2_011A9749

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Unreal.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Unreal.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11A0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Unreal.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'

Jump to behavior

Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: ,Program Managersw
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Progman

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	1375
Product:	CloudBasic
Start time:	20:51:18
Start date:	27.09.2021
Sample:	Unreal.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	35a93d1f2edc044b3d8289abfeb17a43
SHA1:	c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256:	88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_29bf8efa3d478bed9ebb8bc4694e8e89a3debe79_e9e275a3_fdc547f4-9504-4479-9625-faeed7b4411d\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5FC0B172E812246939CC8B1BE390DDA7	93A535B66F6ED314ECCA3B4427CADDA9A0DBD0CF	91D0643FDBC69EEAF4F4AFDCA15A887747B87A9A38DDC3316ED9C13E702492A7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF3A.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Sep 27 19:58:24 2021, 0x1205a4 type	8BCEB4454D9819731E1761C2A6E972AE	1401A7F262B6763CF4C727B709397324C47D421E	4F9F778860BD4BB3F900F956164809B012E88D2163B810640757BD4B3106AB34
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4AA.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	C463A3A75710B11F01E340F0278E3405	91550756DC5D55787972FF1F1CD4392E1B0C9984	7CC178D9A1900EC7EC2995D8D28D01CC12EDD3B0B0C91633D49D5EC722E8D6E0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A260A2CC7C8DCE6EC732391835E709CF	4C51312ADCE38B3D765FB4B74EDA76C0BAC7B02A	D8A17C4A1E416BBD7B28A2AB01026BFFC2C8FC0093AA87B216F0797816366CD4

Windows Analysis Report Unreal.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains