Windows Analysis Report
W445hIpF47.exe

Overview

General Information

Sample Name: W445hIpF47.exe
Analysis ID: 694562
MD5: 379af2536054073f63e7f45d80963bb4
SHA1: ca8717ffb9b80a979116ebbb676dfecd0ec73c8f
SHA256: 15bfead5bee24b7c1d0104bb04e72bf5d735ee2a9416ba3ab43ecf296613b391
Tags: exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to determine the online IP of the system
Found Tor onion address
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Contains functionality to enumerate device drivers
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: W445hIpF47.exe Metadefender: Detection: 74% Perma Link
Source: W445hIpF47.exe ReversingLabs: Detection: 96%
Antivirus / Scanner detection for submitted sample
Source: W445hIpF47.exe Avira: detected
Antivirus detection for URL or domain
Source: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Avira: detection malicious, Label: TR/Dropper.Gen
Machine Learning detection for sample
Source: W445hIpF47.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.3.zrnips.exe.3240000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.3.zrnips.exe.3960000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 23.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 3.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.3.zrnips.exe.3ca0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 25.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.3.W445hIpF47.exe.3750000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.3.zrnips.exe.2f20000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.3.zrnips.exe.3d60000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 23.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 19.3.zrnips.exe.36c0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.zrnips.exe.3170000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 20.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.3.zrnips.exe.3990000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.zrnips.exe.34a0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 15.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 7.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 15.2.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 25.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 3.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 23.3.zrnips.exe.3a10000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 19.0.zrnips.exe.fcd0000.0.unpack Avira: Label: TR/Dropper.Gen
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 1_2_0FDA63E0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FDA82B0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 1_2_0FDA5860
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FDA8400
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 1_2_0FDA4B20
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle, 1_2_0FDA53D0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree, 1_2_0FDA34F0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 1_2_0FDA5670
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_0FDA6660
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 3_2_0FCD63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 3_2_0FCD82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 3_2_0FCD5860
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 3_2_0FCD4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle, 3_2_0FCD53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree, 3_2_0FCD34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 3_2_0FCD6660
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 3_2_0FCD5670
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 3_2_0FCD8400
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW, 5_2_0FCD63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 5_2_0FCD82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree, 5_2_0FCD5860
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread, 5_2_0FCD4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle, 5_2_0FCD53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree, 5_2_0FCD34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 5_2_0FCD6660
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree, 5_2_0FCD5670
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 5_2_0FCD8400
Uses 32bit PE files
Source: W445hIpF47.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: W445hIpF47.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File opened: a:
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_0FDA6DF0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_0FDA6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 3_2_0FCD6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 3_2_0FCD6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 5_2_0FCD6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 5_2_0FCD6BA0

Networking
barindex
Contains functionality to determine the online IP of the system
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_0FDA6FF0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 1_2_0FDA6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 3_2_0FCD6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 3_2_0FCD6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 5_2_0FCD6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com 5_2_0FCD6FF0
Found Tor onion address
Source: W445hIpF47.exe, 00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
May check the online IP address of the machine
Source: C:\Users\user\Desktop\W445hIpF47.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\W445hIpF47.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\W445hIpF47.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\W445hIpF47.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\W445hIpF47.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown DNS query: name: ipv4bot.whatismyipaddress.com
Source: W445hIpF47.exe, 00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp, zrnips.exe, 00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: http://gdcbmuveqjsli57x.onion/1cd33ea6922904b9
Source: zrnips.exe, 00000003.00000002.369371671.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, zrnips.exe, 0000000D.00000002.462566765.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, zrnips.exe, 00000017.00000002.575488485.00000000011D4000.00000004.00000020.00020000.00000000.sdmp, zrnips.exe, 00000017.00000002.575403448.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: zrnips.exe, 00000017.00000002.575403448.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ipv4bot.whatismyipaddress.com/75
Source: W445hIpF47.exe, 00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp, zrnips.exe, 00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: https://tox.chat/download.html
Source: W445hIpF47.exe, 00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp, zrnips.exe, 00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, zrnips.exe, 00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.torproject.org/
Source: unknown DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA8050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree, 1_2_0FDA8050
Creates a DirectInput object (often for capturing keystrokes)
Source: zrnips.exe, 00000003.00000002.369371671.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Gandcrab
Source: Yara match File source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: W445hIpF47.exe PID: 4984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 1792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5408, type: MEMORYSTR
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 1_2_0FDA6660
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 3_2_0FCD6660
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection, 5_2_0FCD6660

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: W445hIpF47.exe, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: W445hIpF47.exe, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: W445hIpF47.exe, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Uses 32bit PE files
Source: W445hIpF47.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: W445hIpF47.exe, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: W445hIpF47.exe, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: W445hIpF47.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: W445hIpF47.exe, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: W445hIpF47.exe, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: zrnips.exe PID: 4940, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: zrnips.exe PID: 5684, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: zrnips.exe PID: 5408, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Detected potential crypto function
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA1C20 1_2_0FDA1C20
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA1020 1_2_0FDA1020
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA8520 1_2_0FDA8520
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD1C20 3_2_0FCD1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD1020 3_2_0FCD1020
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD8520 3_2_0FCD8520
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD1C20 5_2_0FCD1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD1020 5_2_0FCD1020
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD8520 5_2_0FCD8520
Source: W445hIpF47.exe Metadefender: Detection: 74%
Source: W445hIpF47.exe ReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\W445hIpF47.exe File read: C:\Users\user\Desktop\W445hIpF47.exe Jump to behavior
Source: W445hIpF47.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\W445hIpF47.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\W445hIpF47.exe "C:\Users\user\Desktop\W445hIpF47.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe"
Source: C:\Users\user\Desktop\W445hIpF47.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe File created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@13/1@12/0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA7490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_0FDA7490
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA48C0 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,CloseHandle,lstrcmpiW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,VirtualFree,FindCloseChangeNotification, 1_2_0FDA48C0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=1cd33ea6922904b9
Source: C:\Users\user\Desktop\W445hIpF47.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: W445hIpF47.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation
barindex
Yara detected ReflectiveLoader
Source: Yara match File source: W445hIpF47.exe, type: SAMPLE
Source: Yara match File source: 5.3.zrnips.exe.3960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.zrnips.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.zrnips.exe.3a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.zrnips.exe.36c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.W445hIpF47.exe.3750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.zrnips.exe.3d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.zrnips.exe.36c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.zrnips.exe.3170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.zrnips.exe.3990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.zrnips.exe.34a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.W445hIpF47.exe.fda0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.zrnips.exe.3a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.zrnips.exe.3170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.W445hIpF47.exe.3750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.zrnips.exe.2f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.3.zrnips.exe.3990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.zrnips.exe.3d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.zrnips.exe.3240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.zrnips.exe.3960000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.zrnips.exe.3240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.zrnips.exe.3ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.zrnips.exe.3ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.zrnips.exe.34a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.zrnips.exe.fcd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.409239995.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.533542900.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.488096195.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.576268980.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.503181846.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.551633083.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.573322590.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.425162740.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.447982065.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.522576271.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.449764265.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.369680264.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.355052836.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.316448392.000000000FDAA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.432379853.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.394503180.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.412718126.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.462959628.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.335764679.000000000FDAA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.373648417.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.547763801.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.568967780.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.490875423.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.485191831.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.385364580.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.467464358.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: W445hIpF47.exe PID: 4984, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5612, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 1792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 5408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zrnips.exe PID: 4724, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe, type: DROPPED
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FDA82B0
PE file contains an invalid checksum
Source: W445hIpF47.exe Static PE information: real checksum: 0x120f7 should be: 0x1d004
Source: zrnips.exe.1.dr Static PE information: real checksum: 0x120f7 should be: 0x182c1
Drops PE files
Source: C:\Users\user\Desktop\W445hIpF47.exe File created: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlujgxdarml Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jxyyakggfhw Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fwyuhnnfppu
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fnwitigtrzg Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pufpoqlopxk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce icyakbwwtkt Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vcvvgrlytwo Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce psmkjgiilgz
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oikgjamwdag Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce gwocugdvyyi Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ldtrmpohtby Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oikgjamwdag Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oikgjamwdag Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oikgjamwdag Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oikgjamwdag Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlujgxdarml Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlujgxdarml Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlujgxdarml Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlujgxdarml Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce icyakbwwtkt Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce icyakbwwtkt Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce icyakbwwtkt Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce icyakbwwtkt Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vcvvgrlytwo Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vcvvgrlytwo Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vcvvgrlytwo Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vcvvgrlytwo Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fnwitigtrzg Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fnwitigtrzg Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fnwitigtrzg Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fnwitigtrzg Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jxyyakggfhw Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jxyyakggfhw Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jxyyakggfhw Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jxyyakggfhw Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pufpoqlopxk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pufpoqlopxk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pufpoqlopxk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pufpoqlopxk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce gwocugdvyyi Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce gwocugdvyyi Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce gwocugdvyyi Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce gwocugdvyyi Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ldtrmpohtby Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ldtrmpohtby Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ldtrmpohtby Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ldtrmpohtby Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fwyuhnnfppu
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fwyuhnnfppu
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fwyuhnnfppu
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce fwyuhnnfppu
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce psmkjgiilgz
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce psmkjgiilgz
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce psmkjgiilgz
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce psmkjgiilgz
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\W445hIpF47.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate device drivers
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 1_2_0FDA2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 3_2_0FCD2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree, 5_2_0FCD2F50
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 1_2_0FDA6DF0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 1_2_0FDA6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 3_2_0FCD6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 3_2_0FCD6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose, 5_2_0FCD6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose, 5_2_0FCD6BA0
Source: C:\Users\user\Desktop\W445hIpF47.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\W445hIpF47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\W445hIpF47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\W445hIpF47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\W445hIpF47.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe API call chain: ExitProcess graph end node
Source: zrnips.exe, 00000017.00000002.575403448.0000000001198000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: zrnips.exe, 00000003.00000002.369371671.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, zrnips.exe, 0000000D.00000002.462566765.0000000000C68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree, 1_2_0FDA82B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle, 1_2_0FDA53D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA5FF0 mov eax, dword ptr fs:[00000030h] 1_2_0FDA5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 3_2_0FCD5FF0 mov eax, dword ptr fs:[00000030h] 3_2_0FCD5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Code function: 5_2_0FCD5FF0 mov eax, dword ptr fs:[00000030h] 5_2_0FCD5FF0
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA3C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid, 1_2_0FDA3C70
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\W445hIpF47.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA9200 cpuid 1_2_0FDA9200
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\W445hIpF47.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\W445hIpF47.exe Code function: 1_2_0FDA7490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree, 1_2_0FDA7490
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 694562 Sample: W445hIpF47.exe Startdate: 31/08/2022 Architecture: WINDOWS Score: 100 19 ipv4bot.whatismyipaddress.com 2->19 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 41 5 other signatures 2->41 6 zrnips.exe 1 10 2->6         started        10 W445hIpF47.exe 1 11 2->10         started        13 zrnips.exe 1 10 2->13         started        15 10 other processes 2->15 signatures3 39 May check the online IP address of the machine 19->39 process4 dnsIp5 21 ipv4bot.whatismyipaddress.com 6->21 43 Antivirus detection for dropped file 6->43 45 Found evasive API chain (may stop execution after checking mutex) 6->45 47 Contains functionality to determine the online IP of the system 6->47 49 Machine Learning detection for dropped file 6->49 23 ipv4bot.whatismyipaddress.com 10->23 17 C:\Users\user\AppData\Roaming\...\zrnips.exe, PE32 10->17 dropped 51 May check the online IP address of the machine 10->51 53 Creates multiple autostart registry keys 10->53 25 ipv4bot.whatismyipaddress.com 13->25 27 ipv4bot.whatismyipaddress.com 15->27 29 ipv4bot.whatismyipaddress.com 15->29 31 6 other IPs or domains 15->31 file6 signatures7
No contacted IP infos

Contacted Domains

Name IP Active
ipv4bot.whatismyipaddress.com unknown unknown