Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:vy3mvlAaCZ.exe
Analysis ID:694561
MD5:1873a210d41acdef243e921f3810803a
SHA1:6fa90a229148759d12c63bee342e55fa887f6976
SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

  • System is w10x64
  • vy3mvlAaCZ.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)
    • WerFault.exe (PID: 4940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
vy3mvlAaCZ.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x10bb8:$x1: ReflectiveLoader
  • 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x22246:$: DECRYPT.txt
  • 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    vy3mvlAaCZ.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      vy3mvlAaCZ.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x22a81:$s1: _ReflectiveLoader@
      • 0x22a82:$s2: ReflectiveLoader@
      Click to see the 2 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.0.vy3mvlAaCZ.exe.944250.5.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe832:$x1: ReflectiveLoader
                0.0.vy3mvlAaCZ.exe.944250.5.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xdff6:$: DECRYPT.txt
                • 0xe048:$: DECRYPT.txt
                0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.vy3mvlAaCZ.exe.944250.5.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe831:$s1: _ReflectiveLoader@
                    • 0xe832:$s2: ReflectiveLoader@
                    Click to see the 79 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: vy3mvlAaCZ.exeAvira: detected
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%Perma Link
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%Perma Link
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeJoe Sandbox ML: detected
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B0_2_00931E5B
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009398E10_2_009398E1
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093A84D0_2_0093A84D
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009386740_2_00938674
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00937B900_2_00937B90
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009369EC0_2_009369EC
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009381020_2_00938102
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmpJump to behavior
                    Source: classification engineClassification label: mal88.rans.evad.winEXE@2/4@0/0
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932A35 push ecx; ret 0_2_00932A48
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,0_2_0093C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00931E5B
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-7900
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI coverage: 0.8 %
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI call chain: ExitProcess graph end nodegraph_0-5933
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00934E1A
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00934E1A
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,0_2_0093C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932041 GetProcessHeap,0_2_00932041
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00933387 SetUnhandledExceptionFilter,0_2_00933387
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009333B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009333B8
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C090 DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,DestroyWindow,DestroyWindow,TerminateThread,CreateWindowExW,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,0_2_0093C090
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932D1C cpuid 0_2_00932D1C
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,0_2_0093BA30
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00932881
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Native API
                    Path Interception1
                    Process Injection
                    11
                    Virtualization/Sandbox Evasion
                    OS Credential Dumping1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Software Packing
                    LSASS Memory14
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Process Injection
                    Security Account Manager11
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Obfuscated Files or Information
                    NTDS13
                    System Information Discovery
                    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing