Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:vy3mvlAaCZ.exe
Analysis ID:694561
MD5:1873a210d41acdef243e921f3810803a
SHA1:6fa90a229148759d12c63bee342e55fa887f6976
SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

  • System is w10x64
  • vy3mvlAaCZ.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)
    • WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
vy3mvlAaCZ.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x10bb8:$x1: ReflectiveLoader
  • 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x22246:$: DECRYPT.txt
  • 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    vy3mvlAaCZ.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      vy3mvlAaCZ.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x22a81:$s1: _ReflectiveLoader@
      • 0x22a82:$s2: ReflectiveLoader@
      Click to see the 2 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0x10032:$x1: ReflectiveLoader
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xf7f6:$: DECRYPT.txt
                • 0xf848:$: DECRYPT.txt
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0x10031:$s1: _ReflectiveLoader@
                    • 0x10032:$s2: ReflectiveLoader@
                    Click to see the 79 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: vy3mvlAaCZ.exeAvira: detected
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%Perma Link
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%Perma Link
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeJoe Sandbox ML: detected
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01151E5B0_2_01151E5B
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011581020_2_01158102
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01157B900_2_01157B90
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011569EC0_2_011569EC
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115A84D0_2_0115A84D
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011586740_2_01158674
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011598E10_2_011598E1
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4876
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmpJump to behavior
                    Source: classification engineClassification label: mal88.rans.evad.winEXE@2/4@0/0
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152A35 push ecx; ret 0_2_01152A48
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115C790 LoadLibraryA,GetProcAddress,0_2_0115C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01151E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01151E5B
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-7488
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI coverage: 0.8 %
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI call chain: ExitProcess graph end nodegraph_0-5823
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01154130 _memset,IsDebuggerPresent,0_2_01154130
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01154E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_01154E1A
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115C790 LoadLibraryA,GetProcAddress,0_2_0115C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152041 GetProcessHeap,0_2_01152041
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01153387 SetUnhandledExceptionFilter,0_2_01153387
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011533B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_011533B8
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115D110 CreateWindowExW,GetWindowLongW,SetWindowLongW,DestroyWindow,DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,CreateWindowExW,GetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,DestroyWindow,DestroyWindow,TerminateThread,DestroyWindow,0_2_0115D110