Edit tour

Windows Analysis Report
W445hIpF47.exe

Overview

General Information

Sample Name:	W445hIpF47.exe
Analysis ID:	694562
MD5:	379af2536054073f63e7f45d80963bb4
SHA1:	ca8717ffb9b80a979116ebbb676dfecd0ec73c8f
SHA256:	15bfead5bee24b7c1d0104bb04e72bf5d735ee2a9416ba3ab43ecf296613b391
Tags:	exe
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

W445hIpF47.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\W445hIpF47.exe" MD5: 379AF2536054073F63E7F45D80963BB4)

zrnips.exe (PID: 4940 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 5612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 6132 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 1792 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 4736 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 856 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 4888 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

zrnips.exe (PID: 4724 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe" MD5: 9560C1D27C69870E70DD78A19C8FE473)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
W445hIpF47.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
W445hIpF47.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
W445hIpF47.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
W445hIpF47.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
W445hIpF47.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
W445hIpF47.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\zrnips.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.462969629.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000007.00000002.409239995.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000005.00000002.385384409.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000014.00000000.533542900.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000011.00000002.488096195.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000002.576268980.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000013.00000003.521241668.00000000036C0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000007.00000003.408576390.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000013.00000000.503181846.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000002.522593346.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000005.00000003.384531740.0000000003960000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000017.00000000.551633083.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.573322590.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.425162740.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000007.00000002.409249887.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000C.00000002.447982065.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000002.522576271.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000014.00000003.546628326.0000000003D60000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000017.00000003.574625963.0000000003A10000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000D.00000000.449764265.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000002.369680264.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000002.447997228.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000001.00000002.335771276.000000000FDB2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000000.355052836.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000008.00000003.424307564.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000001.00000000.316448392.000000000FDAA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000D.00000003.462209860.0000000003240000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000000.432379853.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000002.369749852.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.446505391.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000007.00000000.394503180.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000000.412718126.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000D.00000002.462959628.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000001.00000003.334801749.0000000003750000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000001.00000002.335764679.000000000FDAA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000017.00000002.576290248.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000005.00000000.373648417.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000014.00000002.547763801.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.425172336.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000003.00000003.369063842.00000000034A0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000014.00000002.547774907.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000019.00000000.568967780.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.490875423.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000F.00000003.490038612.0000000002F20000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000011.00000000.485191831.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.490894450.000000000FCE2000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000005.00000002.385364580.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000000.467464358.000000000FCDA000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: W445hIpF47.exe PID: 4984	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: W445hIpF47.exe PID: 4984	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 4940	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x15ec2:$xs1: WS2_32.dll 0x9810:$xs2: ReflectiveLoader 0x9832:$xs2: ReflectiveLoader 0xb46c:$xs2: ReflectiveLoader 0xb48e:$xs2: ReflectiveLoader 0xeda3:$xs2: ReflectiveLoader 0xedc5:$xs2: ReflectiveLoader
Process Memory Space: zrnips.exe PID: 4940	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 4940	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 4544	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 4544	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 5896	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 5896	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 5612	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 5612	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 6132	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 6132	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 5684	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x44ec:$xs1: WS2_32.dll 0xa40f:$xs2: ReflectiveLoader 0xa431:$xs2: ReflectiveLoader 0xc530:$xs2: ReflectiveLoader 0xc552:$xs2: ReflectiveLoader 0xf0df:$xs2: ReflectiveLoader 0xf101:$xs2: ReflectiveLoader
Process Memory Space: zrnips.exe PID: 5684	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 5684	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 1792	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 1792	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 4736	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 856	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 856	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 4888	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 4888	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 5408	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xd440:$xs1: WS2_32.dll 0xd866:$xs1: WS2_32.dll 0x3643:$xs2: ReflectiveLoader 0x3665:$xs2: ReflectiveLoader 0x594a:$xs2: ReflectiveLoader 0x596c:$xs2: ReflectiveLoader 0x9eae:$xs2: ReflectiveLoader 0x9ed0:$xs2: ReflectiveLoader
Process Memory Space: zrnips.exe PID: 5408	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: zrnips.exe PID: 5408	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: zrnips.exe PID: 4724	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 125 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.zrnips.exe.3960000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
5.3.zrnips.exe.3960000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
5.3.zrnips.exe.3960000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
5.3.zrnips.exe.3960000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
5.3.zrnips.exe.3960000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
5.3.zrnips.exe.3960000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
5.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
5.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
5.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
5.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
5.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
5.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
15.3.zrnips.exe.2f20000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.3.zrnips.exe.2f20000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.3.zrnips.exe.2f20000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.3.zrnips.exe.2f20000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.3.zrnips.exe.2f20000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.3.zrnips.exe.2f20000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
23.3.zrnips.exe.3a10000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
23.3.zrnips.exe.3a10000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
23.3.zrnips.exe.3a10000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.3.zrnips.exe.3a10000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
23.3.zrnips.exe.3a10000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.3.zrnips.exe.3a10000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
19.3.zrnips.exe.36c0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.3.zrnips.exe.36c0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.3.zrnips.exe.36c0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.zrnips.exe.36c0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.3.zrnips.exe.36c0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.zrnips.exe.36c0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
1.3.W445hIpF47.exe.3750000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
1.3.W445hIpF47.exe.3750000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
1.3.W445hIpF47.exe.3750000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.3.W445hIpF47.exe.3750000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
1.3.W445hIpF47.exe.3750000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.3.W445hIpF47.exe.3750000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
20.3.zrnips.exe.3d60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
20.3.zrnips.exe.3d60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
20.3.zrnips.exe.3d60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.3.zrnips.exe.3d60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
20.3.zrnips.exe.3d60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.3.zrnips.exe.3d60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
23.2.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
23.2.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
23.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
23.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.2.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
23.2.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.2.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
1.0.W445hIpF47.exe.fda0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
1.0.W445hIpF47.exe.fda0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
1.0.W445hIpF47.exe.fda0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.0.W445hIpF47.exe.fda0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
1.0.W445hIpF47.exe.fda0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.0.W445hIpF47.exe.fda0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 DA 0F 8B 35 44 A1 DA 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 DA 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 DA 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 DA 0F 8B 35 10 A1 DA 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 DA 0F C7 44 24 1C 64 F4 DA 0F C7 44 24 20 80 F4 DA 0F C7 44 24 24 A0 F4 DA 0F C7 44 24 28 BC F4 DA 0F C7 44 24 2C D8 F4 DA 0F C7 44 24 30 F0 F4 DA 0F C7 44 24 34 04 F5 DA 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 DA 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 DB 0F C7 45 B8 BC 03 DB 0F C7 45 BC ...
19.3.zrnips.exe.36c0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
19.3.zrnips.exe.36c0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
19.3.zrnips.exe.36c0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.zrnips.exe.36c0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
19.3.zrnips.exe.36c0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.zrnips.exe.36c0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
13.2.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
13.2.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
13.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
13.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
13.2.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
13.2.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
13.2.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
7.2.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
7.2.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
7.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
7.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
7.2.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
7.2.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
7.2.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
12.3.zrnips.exe.3170000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
12.3.zrnips.exe.3170000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
12.3.zrnips.exe.3170000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.zrnips.exe.3170000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
12.3.zrnips.exe.3170000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.zrnips.exe.3170000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
20.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
20.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
20.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
20.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
20.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
20.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
7.3.zrnips.exe.3990000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
7.3.zrnips.exe.3990000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
7.3.zrnips.exe.3990000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
7.3.zrnips.exe.3990000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
7.3.zrnips.exe.3990000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
7.3.zrnips.exe.3990000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
3.3.zrnips.exe.34a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
3.3.zrnips.exe.34a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
3.3.zrnips.exe.34a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.3.zrnips.exe.34a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
3.3.zrnips.exe.34a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.3.zrnips.exe.34a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
7.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
7.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
7.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
7.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
7.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
7.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
12.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
25.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
15.2.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.2.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
15.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.2.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
1.2.W445hIpF47.exe.fda0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
1.2.W445hIpF47.exe.fda0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
1.2.W445hIpF47.exe.fda0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
1.2.W445hIpF47.exe.fda0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.W445hIpF47.exe.fda0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
1.2.W445hIpF47.exe.fda0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
1.2.W445hIpF47.exe.fda0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 DA 0F 8B 35 44 A1 DA 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 DA 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 DA 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 DA 0F 8B 35 10 A1 DA 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 DA 0F C7 44 24 1C 64 F4 DA 0F C7 44 24 20 80 F4 DA 0F C7 44 24 24 A0 F4 DA 0F C7 44 24 28 BC F4 DA 0F C7 44 24 2C D8 F4 DA 0F C7 44 24 30 F0 F4 DA 0F C7 44 24 34 04 F5 DA 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 DA 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 DB 0F C7 45 B8 BC 03 DB 0F C7 45 BC ...
23.3.zrnips.exe.3a10000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
23.3.zrnips.exe.3a10000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
23.3.zrnips.exe.3a10000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
23.3.zrnips.exe.3a10000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
23.3.zrnips.exe.3a10000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
23.3.zrnips.exe.3a10000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
17.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
17.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
17.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
17.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
17.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
17.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
19.0.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.0.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.0.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.0.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.0.zrnips.exe.fcd0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.0.zrnips.exe.fcd0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 CD 0F 8B 35 44 A1 CD 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 CD 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 CD 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 CD 0F 8B 35 10 A1 CD 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 CD 0F C7 44 24 1C 64 F4 CD 0F C7 44 24 20 80 F4 CD 0F C7 44 24 24 A0 F4 CD 0F C7 44 24 28 BC F4 CD 0F C7 44 24 2C D8 F4 CD 0F C7 44 24 30 F0 F4 CD 0F C7 44 24 34 04 F5 CD 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 CD 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 CE 0F C7 45 B8 BC 03 CE 0F C7 45 BC ...
12.3.zrnips.exe.3170000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.3.zrnips.exe.3170000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.3.zrnips.exe.3170000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.3.zrnips.exe.3170000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.3.zrnips.exe.3170000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.3.zrnips.exe.3170000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.2.zrnips.exe.fcd0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.2.zrnips.exe.fcd0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
12.2.zrnips.exe.fcd0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.2.zrnips.exe.fcd0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
W445hIpF47.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report W445hIpF47.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Windows Analysis Report
W445hIpF47.exe