Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Sample Name:	wThN5MTIsw.exe
Analysis ID:	694565
MD5:	1813521f3884de8427728b54b5c9a391
SHA1:	874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:	4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%			Perma Link
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Antivirus / Scanner detection for submitted sample

Source: wThN5MTIsw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: wThN5MTIsw.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 34.3.ssapst.exe.32a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.3.ssapst.exe.3b60000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.3.ssapst.exe.2f70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.3.ssapst.exe.3830000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.ssapst.exe.36d0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.ssapst.exe.3300000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.ssapst.exe.3230000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.3.ssapst.exe.3520000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 25.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.3.ssapst.exe.30f0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.3.ssapst.exe.38c0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.ssapst.exe.2fc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.ssapst.exe.3d30000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.ssapst.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.3.ssapst.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5860
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E8400
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F4E4B20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F4E63E0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E82B0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5670
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F4E53D0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F4E34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	2_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	2_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	2_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	2_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE68400
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	4_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	4_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	4_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	4_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE68400

Uses 32bit PE files

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: a:

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0

Found Tor onion address

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

May check the online IP address of the machine

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/&
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/2
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G%b
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I;
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/QL
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: ssapst.exe, 00000019.00000002.607798154.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/g
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/x
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F4E8050

Creates a DirectInput object (often for capturing keystrokes)

Source: wThN5MTIsw.exe, 00000000.00000002.335360112.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660

System Summary

Malicious sample detected (through community Yara rule)

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1C20	0_2_0F4E1C20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1020	0_2_0F4E1020
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8520	0_2_0F4E8520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61C20	2_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61020	2_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68520	2_2_0FE68520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61C20	4_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61020	4_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68520	4_2_0FE68520

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File read: C:\Users\user\Desktop\wThN5MTIsw.exe

Jump to behavior

Source: wThN5MTIsw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wThN5MTIsw.exe "C:\Users\user\Desktop\wThN5MTIsw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@17/0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E7490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F4E7490

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E7B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F4E7B70

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cec3c1ad6b0ea08f

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: wThN5MTIsw.exe, type: SAMPLE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

PE file contains an invalid checksum

Source: wThN5MTIsw.exe	Static PE information: real checksum: 0x120f7 should be: 0x1d03b
Source: ssapst.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1dfa7

Drops PE files

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F4E2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	2_2_0FE62F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	4_2_0FE62F50

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node

Source: wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000013.00000002.553629451.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F4E3200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F4E5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	2_2_0FE65FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	4_2_0FE65FF0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F4E3C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E9200 cpuid

0_2_0F4E9200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E7490

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
ipv4bot.whatismyipaddress.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%			Perma Link
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Antivirus / Scanner detection for submitted sample

Source: wThN5MTIsw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: wThN5MTIsw.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 34.3.ssapst.exe.32a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 18.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.3.ssapst.exe.3b60000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.3.ssapst.exe.2f70000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.3.ssapst.exe.3830000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.ssapst.exe.36d0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 15.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.ssapst.exe.3300000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.ssapst.exe.3230000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.3.ssapst.exe.3520000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 25.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.3.ssapst.exe.30f0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.3.ssapst.exe.38c0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.3.ssapst.exe.3730000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 34.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.3.ssapst.exe.2fc0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.ssapst.exe.3d30000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.ssapst.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.3.ssapst.exe.3790000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.2.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 32.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.ssapst.exe.fe60000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5860
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E8400
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F4E4B20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F4E63E0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F4E82B0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F4E5670
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F4E53D0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F4E34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	2_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	2_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	2_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	2_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	2_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	2_2_0FE68400
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE663E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	4_2_0FE663E0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE682B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE682B0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65860
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE64B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	4_2_0FE64B20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE634F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	4_2_0FE634F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE653D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	4_2_0FE653D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	4_2_0FE65670
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	4_2_0FE68400

Uses 32bit PE files

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File opened: a:

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F4E6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	2_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	4_2_0FE66FF0

Found Tor onion address

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f

May check the online IP address of the machine

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	DNS query: name: ipv4bot.whatismyipaddress.com

Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cec3c1ad6b0ea08f
Source: ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/&
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wThN5MTIsw.exe, 00000000.00000002.335452470.00000000008D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/2
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000002.605561331.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G%b
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I
Source: ssapst.exe, 00000002.00000002.369878312.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/I;
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/QL
Source: ssapst.exe, 00000004.00000002.382761696.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: ssapst.exe, 00000019.00000002.607798154.0000000000F31000.00000004.00000020.00020000.00000000.sdmp, ssapst.exe, 00000019.00000003.601906375.0000000000F31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/g
Source: ssapst.exe, 00000018.00000002.585108554.00000000012E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/x
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: wThN5MTIsw.exe, 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, ssapst.exe, 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, ssapst.exe, 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E8050

Creates a DirectInput object (often for capturing keystrokes)

Source: wThN5MTIsw.exe, 00000000.00000002.335360112.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F4E6660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	2_2_0FE66660
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	4_2_0FE66660

System Summary

Malicious sample detected (through community Yara rule)

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: wThN5MTIsw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: wThN5MTIsw.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1C20	0_2_0F4E1C20
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E1020	0_2_0F4E1020
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E8520	0_2_0F4E8520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61C20	2_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE61020	2_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE68520	2_2_0FE68520
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61C20	4_2_0FE61C20
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE61020	4_2_0FE61020
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE68520	4_2_0FE68520

Source: wThN5MTIsw.exe	Virustotal: Detection: 90%
Source: wThN5MTIsw.exe	ReversingLabs: Detection: 93%

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File read: C:\Users\user\Desktop\wThN5MTIsw.exe

Jump to behavior

Source: wThN5MTIsw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wThN5MTIsw.exe "C:\Users\user\Desktop\wThN5MTIsw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe"

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@21/1@17/0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E7490

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E7B70

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cec3c1ad6b0ea08f

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: wThN5MTIsw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: wThN5MTIsw.exe, type: SAMPLE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.ssapst.exe.36d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.wThN5MTIsw.exe.3170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.ssapst.exe.32a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.ssapst.exe.3b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.ssapst.exe.3230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.ssapst.exe.3300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.ssapst.exe.3520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.ssapst.exe.3830000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.ssapst.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.ssapst.exe.38c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.ssapst.exe.2fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.ssapst.exe.2f70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.ssapst.exe.3d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.ssapst.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.ssapst.exe.3730000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.ssapst.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.ssapst.exe.fe60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wThN5MTIsw.exe.f4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wThN5MTIsw.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 3248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 6228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 4804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 1784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 5700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ssapst.exe PID: 972, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

PE file contains an invalid checksum

Source: wThN5MTIsw.exe	Static PE information: real checksum: 0x120f7 should be: 0x1d03b
Source: ssapst.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1dfa7

Drops PE files

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qxcdehgjaib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ocipuxittak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce trtwjkdvbrs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ftylkauykkg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce biktigczvpq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rjjumyjxpew	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ypcrxwqpxuk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce qtytdguwutr	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hdwqlmoiwuh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce hedsypabrrz
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce oprgxbvjexb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce vlllmsigvhf
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce drhgskcsetb
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce wwezwkhgyew
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce tzknppvrole
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jqnamhtcavd
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xiyxqoiwizj

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F4E2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	2_2_0FE62F50
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	4_2_0FE62F50

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F4E6DF0
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F4E6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	2_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	2_2_0FE66BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	4_2_0FE66DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE66BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	4_2_0FE66BA0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	API call chain: ExitProcess graph end node

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E8400 VirtualAlloc,CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F4E8400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F4E3200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Code function: 0_2_0F4E5FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F4E5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 2_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	2_2_0FE65FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Code function: 4_2_0FE65FF0 mov eax, dword ptr fs:[00000030h]	4_2_0FE65FF0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E3C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F4E3C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Code function: 0_2_0F4E9200 cpuid

0_2_0F4E9200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\wThN5MTIsw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\wThN5MTIsw.exe

0_2_0F4E7490

ID:	694565
Product:	CloudBasic
Start time:	23:55:56
Start date:	31.08.2022
Sample:	wThN5MTIsw.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1813521f3884de8427728b54b5c9a391
SHA1:	874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:	4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report wThN5MTIsw.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
wThN5MTIsw.exe