Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:vy3mvlAaCZ.exe
Analysis ID:694561
MD5:1873a210d41acdef243e921f3810803a
SHA1:6fa90a229148759d12c63bee342e55fa887f6976
SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

  • System is w10x64
  • vy3mvlAaCZ.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)
    • WerFault.exe (PID: 4940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
vy3mvlAaCZ.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x10bb8:$x1: ReflectiveLoader
  • 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x22246:$: DECRYPT.txt
  • 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    vy3mvlAaCZ.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      vy3mvlAaCZ.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x22a81:$s1: _ReflectiveLoader@
      • 0x22a82:$s2: ReflectiveLoader@
      Click to see the 2 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 5 entries
                SourceRuleDescriptionAuthorStrings
                0.0.vy3mvlAaCZ.exe.944250.5.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe832:$x1: ReflectiveLoader
                0.0.vy3mvlAaCZ.exe.944250.5.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xdff6:$: DECRYPT.txt
                • 0xe048:$: DECRYPT.txt
                0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.vy3mvlAaCZ.exe.944250.5.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe831:$s1: _ReflectiveLoader@
                    • 0xe832:$s2: ReflectiveLoader@
                    Click to see the 79 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: vy3mvlAaCZ.exeAvira: detected
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%Perma Link
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%Perma Link
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeJoe Sandbox ML: detected
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009398E1
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093A84D
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00938674
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00937B90
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009369EC
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00938102
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmpJump to behavior
                    Source: classification engineClassification label: mal88.rans.evad.winEXE@2/4@0/0
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932A35 push ecx; ret
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI coverage: 0.8 %
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932041 GetProcessHeap,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00933387 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009333B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C090 DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,DestroyWindow,DestroyWindow,TerminateThread,CreateWindowExW,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932D1C cpuid
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Native API
                    Path Interception1
                    Process Injection
                    11
                    Virtualization/Sandbox Evasion
                    OS Credential Dumping1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Software Packing
                    LSASS Memory14
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Process Injection
                    Security Account Manager11
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Obfuscated Files or Information
                    NTDS13
                    System Information Discovery
                    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                    Remote System Discovery
                    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    vy3mvlAaCZ.exe86%VirustotalBrowse
                    vy3mvlAaCZ.exe74%MetadefenderBrowse
                    vy3mvlAaCZ.exe96%ReversingLabsWin32.Ransomware.GandCrab
                    vy3mvlAaCZ.exe100%AviraTR/Crypt.EPACK.Gen2
                    vy3mvlAaCZ.exe100%Joe Sandbox ML
                    No Antivirus matches
                    SourceDetectionScannerLabelLinkDownload
                    0.2.vy3mvlAaCZ.exe.930000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.2.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.4.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    No Antivirus matches
                    No Antivirus matches
                    No contacted domains info
                    No contacted IP infos
                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:694561
                    Start date and time:2022-08-31 23:58:21 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 6m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:vy3mvlAaCZ.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal88.rans.evad.winEXE@2/4@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 100% (good quality ratio 92.2%)
                    • Quality average: 80.2%
                    • Quality standard deviation: 30.1%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 300000ms are automatically reduced to 1000ms
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    No context
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.673804623399491
                    Encrypted:false
                    SSDEEP:96:kbFWtfhs1Dg3fDUpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OyWZAXGng5FMTPSkvu:WsKHBUZMXYjuq/u7svIS274Itwl
                    MD5:3BB61DDF965463EDB0AA60D2950DC834
                    SHA1:94BB88E8277D67F9261EFDA7122B5063FAD1C3AD
                    SHA-256:7887FD561BF713404541B56AB5EF8BC9FA9A5F10F72A15C245B2559DE5EBC544
                    SHA-512:5DE44FD2771DFA8145ED27B03416A0C0CDF00C323DE366DCBEE06F5E9108F332400A2D398E82D3B131371CBA1AFE0525E599956951D7DDC63CF626FAED67A27C
                    Malicious:true
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.8.9.1.6.6.0.9.7.5.7.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.4.8.9.1.6.7.3.4.7.5.7.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.c.0.a.e.5.6.-.9.f.7.f.-.4.1.f.6.-.9.0.f.5.-.b.2.9.c.8.c.2.5.e.5.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.4.1.1.7.9.9.-.7.b.7.6.-.4.e.f.a.-.a.6.8.4.-.4.0.9.b.a.7.f.4.b.c.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.y.3.m.v.l.A.a.C.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.a.c.-.0.0.0.1.-.0.0.1.a.-.c.7.3.0.-.5.6.5.d.d.0.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.1.d.d.a.7.1.0.3.b.9.8.a.3.c.9.4.4.5.a.1.1.3.8.3.7.c.b.f.e.9.0.0.0.0.f.f.f.f.!.0.0.0.0.6.f.a.9.0.a.2.2.9.1.4.8.7.5.9.d.1.2.c.6.3.b.e.e.3.4.2.e.5.5.f.a.8.8.7.f.6.9.7.6.!.v.y.3.m.v.l.A.a.C.Z...e.x.e.....T.a.r.g.e.t.A.p.p.
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Thu Sep 1 06:59:26 2022, 0x1205a4 type
                    Category:dropped
                    Size (bytes):35404
                    Entropy (8bit):1.8846641325885034
                    Encrypted:false
                    SSDEEP:96:5P8M8M/mnPXq82qhi7o5g+f0lltRuii8Y6ATZK+TD5iWI3WIX7I2Qej:WUmnP1OGcltMGuK+TmQe
                    MD5:8041C81145A8C17D64471E698F53B7E0
                    SHA1:CB951C6F726CCC535AA77568B26EB0E4AF325116
                    SHA-256:853815B51624678FA302216392D8377C0DEA180C2C2F7590C599123E3297A7C2
                    SHA-512:16FA68013C4DE6C120CDA18E9829AAEE78EC5D01EEF97C2B51AEAD299018473E5D9D023216EFFAA9DCCEE26DB9A3F62CB6519049B1F9EA968C7CB8A40DBC4CC5
                    Malicious:false
                    Reputation:low
                    Preview:MDMP....... .......NX.c....................................................T.......8...........T...............<............................................................................................U...........B......4.......GenuineIntelW...........T...........JX.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8278
                    Entropy (8bit):3.696981182329922
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNiLz6e6Yq0SUZKgmfgdSPvCpr189bGMsfLCm:RrlsNi/6e6YJSUZKgmfgdSdGffP
                    MD5:0E50780F5CD7ECADA812B9172438386E
                    SHA1:CA9FAE7738916E845C90B37DA95C2B06BAB3B294
                    SHA-256:8E4496A05D4373E8EFC1358AA278C11A2639CECF86AD744F8A492B6CBBD9C630
                    SHA-512:31F04CC5C18B86C62A8A621B90CF110E510569C8717C74EEB9BC2CB9B5E99EEFFE2421E93D2A4BEFA9C7C78D21AED74738EC1D031DA07B3BC534837F4F7CA6E8
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.6.8.<./.P.i.d.>.......
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4563
                    Entropy (8bit):4.442876235276256
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zspJgtWI9qUWgc8sqYji8fm8M4JNWFXhho+q8FCevxEATULMd:uITf7hNgrsqYrJ0hyXevOATULMd
                    MD5:CAF0E5DE2CF8BA7461786631E7875A69
                    SHA1:02194DB299C7DF9D3E170E694DA2DCB9EDE3FB5E
                    SHA-256:333617884EFEDD0428071F30423AB1BE7EBA23F46EE7B32C922B87F79258F534
                    SHA-512:DBF3AC05100C97BDB368DC0094D24B2BE7F1EA0146ABD7B1724CCC0BC6E7FE2B16471AB916314DCCC41226BAC19DCFA1498C2412BE8A160C503A3102EA8102F3
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672810" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.497360445509992
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:vy3mvlAaCZ.exe
                    File size:159232
                    MD5:1873a210d41acdef243e921f3810803a
                    SHA1:6fa90a229148759d12c63bee342e55fa887f6976
                    SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
                    SHA512:2a45638cc994e6e3af3fe3f7ec153235591c5e07893665485a0e564aefce1f9a8d8da9146b1d7eeab45c09f3fb4afa56107467013fe4e490800546827af96676
                    SSDEEP:3072:l5K/B0toL6SNJmlZHQsozTS+SMqqDL2/TrKdcG:lcytw/u1yTS+xqqDL6HKL
                    TLSH:EAF38C1971D1A0B2E4F30976D5B8AF12446DFC111BB07CDB72E61A9E19320E3AE39B53
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..{...(...(...(...(...(..?(...(T.?(...(T..(...(T.>(w..(..M(...(...(...(..:(...(...(...(Rich...(........................PE..L..
                    Icon Hash:00828e8e8686b000
                    Entrypoint:0x401612
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x5AF0C742 [Mon May 7 21:38:10 2018 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:7848011b763d00cd02658995847dd30b
                    Instruction
                    call 00007F3424C7490Fh
                    jmp 00007F3424C73520h
                    cmp ecx, dword ptr [00413050h]
                    jne 00007F3424C736A4h
                    rep ret
                    jmp 00007F3424C74C9Bh
                    int3
                    int3
                    int3
                    int3
                    int3
                    mov ecx, dword ptr [esp+08h]
                    mov eax, dword ptr [esp+04h]
                    push edi
                    push ebx
                    push esi
                    cmp dword ptr [00427E00h], 01h
                    jc 00007F3424C73874h
                    ja 00007F3424C737A3h
                    movzx edx, byte ptr [ecx]
                    mov ebx, edx
                    shl edx, 08h
                    or edx, ebx
                    je 00007F3424C7378Fh
                    movd xmm3, edx
                    pshuflw xmm3, xmm3, 00h
                    movlhps xmm3, xmm3
                    pxor xmm0, xmm0
                    mov esi, ecx
                    or edi, FFFFFFFFh
                    movzx ebx, byte ptr [ecx]
                    add ecx, 01h
                    test ebx, ebx
                    je 00007F3424C736BFh
                    test ecx, 0000000Fh
                    jne 00007F3424C73690h
                    movdqa xmm2, dqword ptr [ecx]
                    pcmpeqb xmm2, xmm0
                    pmovmskb ebx, xmm2
                    test ebx, ebx
                    jne 00007F3424C736A7h
                    mov edi, 0000000Fh
                    movd edx, xmm3
                    mov ebx, 00000FFFh
                    and ebx, eax
                    cmp ebx, 00000FF0h
                    jnbe 00007F3424C736C9h
                    movdqu xmm1, dqword ptr [eax]
                    pxor xmm2, xmm2
                    pcmpeqb xmm2, xmm1
                    pcmpeqb xmm1, xmm3
                    por xmm1, xmm2
                    pmovmskb ebx, xmm1
                    add eax, 10h
                    test ebx, ebx
                    je 00007F3424C73674h
                    bsf ebx, ebx
                    sub eax, 10h
                    add eax, ebx
                    movzx ebx, byte ptr [eax]
                    test ebx, ebx
                    Programming Language:
                    • [C++] VS2013 build 21005
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2013 build 21005
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x121640x50.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a0000x1120.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11df80x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0xe0000x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000xc9c70xca00False0.5717435024752475data6.680188843446378IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0xe0000x49d40x4a00False0.4021853885135135data4.712898301860252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x130000x161c40x14400False0.47274064429012347data6.3863967246134115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x2a0000x11200x1200False0.7840711805555556data6.544131886571421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    DLLImport
                    KERNEL32.dllGetCurrentProcess, WaitForSingleObject, OpenProcess, Sleep, GetModuleFileNameW, CreateFileW, ExitThread, GetLastError, GetProcAddress, ExitProcess, GetModuleHandleA, CloseHandle, GetCurrentProcessId, GetVersionExW, LoadLibraryA, lstrlenW, TerminateThread, CreateThread, WriteConsoleW, SetFilePointerEx, VirtualProtect, IsWow64Process, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetCommandLineA, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, OutputDebugStringW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW
                    USER32.dllSetFocus, SendMessageW, CharUpperBuffW, GetForegroundWindow, GetSystemMetrics, GetMessageW, TranslateMessage, DispatchMessageW, SetForegroundWindow, DefWindowProcW, RegisterClassExW, CreateWindowExW, DestroyWindow, ShowWindow, keybd_event, UpdateWindow, SetWindowTextW, GetWindowLongW, SetWindowLongW, SystemParametersInfoW, GetAncestor
                    ntdll.dllRtlUnwind
                    No network behavior found

                    Click to jump to process

                    Target ID:0
                    Start time:23:59:22
                    Start date:31/08/2022
                    Path:C:\Users\user\Desktop\vy3mvlAaCZ.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Imagebase:0x930000
                    File size:159232 bytes
                    MD5 hash:1873A210D41ACDEF243E921F3810803A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low

                    Target ID:3
                    Start time:23:59:24
                    Start date:31/08/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Imagebase:0x970000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    No disassembly