Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:vy3mvlAaCZ.exe
Analysis ID:694561
MD5:1873a210d41acdef243e921f3810803a
SHA1:6fa90a229148759d12c63bee342e55fa887f6976
SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

  • System is w10x64
  • vy3mvlAaCZ.exe (PID: 4876 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)
    • WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
vy3mvlAaCZ.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x10bb8:$x1: ReflectiveLoader
  • 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x22246:$: DECRYPT.txt
  • 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    vy3mvlAaCZ.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      vy3mvlAaCZ.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x22a81:$s1: _ReflectiveLoader@
      • 0x22a82:$s2: ReflectiveLoader@
      Click to see the 2 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0x10032:$x1: ReflectiveLoader
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xf7f6:$: DECRYPT.txt
                • 0xf848:$: DECRYPT.txt
                0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0x10031:$s1: _ReflectiveLoader@
                    • 0x10032:$s2: ReflectiveLoader@
                    Click to see the 79 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: vy3mvlAaCZ.exeAvira: detected
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%Perma Link
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%Perma Link
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeJoe Sandbox ML: detected
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01151E5B
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01158102
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01157B90
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011569EC
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115A84D
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01158674
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011598E1
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 244
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4876
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C8E.tmpJump to behavior
                    Source: classification engineClassification label: mal88.rans.evad.winEXE@2/4@0/0
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.1164250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1150000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.1164250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.245248634.0000000001163000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.256573776.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.246907698.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.247365120.0000000001164000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4876, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152A35 push ecx; ret
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115C790 LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01151E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI coverage: 0.8 %
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01154130 _memset,IsDebuggerPresent,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01154E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115C790 LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152041 GetProcessHeap,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01153387 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_011533B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115D110 CreateWindowExW,GetWindowLongW,SetWindowLongW,DestroyWindow,DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,CreateWindowExW,GetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,DestroyWindow,DestroyWindow,TerminateThread,DestroyWindow,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152D1C cpuid
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0115BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_01152881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Native API
                    Path Interception1
                    Process Injection
                    11
                    Virtualization/Sandbox Evasion
                    OS Credential Dumping1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Software Packing
                    LSASS Memory14
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Process Injection
                    Security Account Manager11
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin Shares