Edit tour

Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Sample Name:	wThN5MTIsw.exe
Analysis ID:	694565
MD5:	1813521f3884de8427728b54b5c9a391
SHA1:	874f4efd9b2ba64fa3bcb6ae87b116bd526b85c3
SHA256:	4e705159b6c3a72b2b160486b9d582f05e34cd89a767428ef47ff6562b39619e
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Found evasive API chain (may stop execution after checking mutex)

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

wThN5MTIsw.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\wThN5MTIsw.exe" MD5: 1813521F3884DE8427728B54B5C9A391)

ssapst.exe (PID: 6592 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5668 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 1416 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 3248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 7108 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 204 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 4804 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 1784 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

ssapst.exe (PID: 972 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe" MD5: C99BAB5FEA91C0938D1D5B6684158B24)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wThN5MTIsw.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
wThN5MTIsw.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
wThN5MTIsw.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
wThN5MTIsw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
wThN5MTIsw.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
wThN5MTIsw.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
C:\Users\user\AppData\Roaming\Microsoft\ssapst.exe	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.335673365.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.421043250.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000004.00000003.382524367.00000000038C0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000023.00000000.730367046.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000002.406382399.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000002.734717569.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.654951583.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001E.00000003.653635490.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000001A.00000003.625461976.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000002.445300926.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000021.00000003.701450302.0000000003D30000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000006.00000003.405218158.0000000002F70000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000002.00000002.370323598.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000000.391649222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000002.585820146.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.335680061.000000000F4F2000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000020.00000003.679180879.0000000003790000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000022.00000003.731764683.00000000032A0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000016.00000000.548829843.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.421052694.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000018.00000000.570376945.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000000.588245655.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000002.585796532.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.608758289.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000000.444554151.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000004.00000002.383041261.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000002.628240997.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.703365325.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000F.00000002.485778645.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.354396039.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000002.556440908.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000000.408927489.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000018.00000003.584737437.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000C.00000003.444009772.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000004.00000000.373713609.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000011.00000002.485870462.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000000.00000003.334936467.0000000003170000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000013.00000000.531056963.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000000.705195952.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000002.370333139.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000011.00000000.482554766.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000002.406483395.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000013.00000002.556559672.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000000.500809556.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000000.462423463.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000000.688032587.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000000.648211037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000023.00000002.734163456.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000016.00000002.553896559.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000020.00000002.681984770.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000002.628251824.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000C.00000000.426845599.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000013.00000003.550407327.0000000003520000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000020.00000000.666637056.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000022.00000002.734737605.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000001E.00000000.626543672.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000021.00000002.703345921.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000F.00000003.484382333.0000000003300000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
0000000C.00000002.445271222.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001E.00000002.654935793.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.321170731.000000000F4EA000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001A.00000000.608029027.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000002.608744037.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000F.00000002.485790617.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000002.457737689.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0000000E.00000003.456730321.0000000003730000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000012.00000002.520951774.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000002.00000003.369602233.0000000003640000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000004.00000002.383047915.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000020.00000002.682007928.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000012.00000002.521001527.000000000FE72000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0000000E.00000002.457728648.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000001F.00000002.651985737.000000000FE6A000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000019.00000003.601841912.00000000036D0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000008.00000003.419920296.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
00000012.00000003.513687059.0000000003230000.00000004.00001000.00020000.00000000.sdmp	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
Process Memory Space: wThN5MTIsw.exe PID: 6388	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xdc63:$xs1: WS2_32.dll 0xf33:$xs2: ReflectiveLoader 0xf55:$xs2: ReflectiveLoader 0xa34d:$xs2: ReflectiveLoader 0xa36f:$xs2: ReflectiveLoader 0x16d19:$xs2: ReflectiveLoader 0x16d3b:$xs2: ReflectiveLoader
Process Memory Space: wThN5MTIsw.exe PID: 6388	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: wThN5MTIsw.exe PID: 6388	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6592	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xaf8f:$xs1: WS2_32.dll 0x38f0:$xs2: ReflectiveLoader 0x3912:$xs2: ReflectiveLoader 0xd781:$xs2: ReflectiveLoader 0xd7a3:$xs2: ReflectiveLoader 0x13fba:$xs2: ReflectiveLoader 0x13fdc:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 6592	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6592	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6840	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6840	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7028	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7028	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5668	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5668	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6104	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6104	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 4292	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 4292	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 1416	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 1416	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 3588	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 3248	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 3248	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 6228	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x2e43:$xs1: WS2_32.dll 0x4766:$xs1: WS2_32.dll 0x8322:$xs2: ReflectiveLoader 0x8344:$xs2: ReflectiveLoader 0x9b98:$xs2: ReflectiveLoader 0x9bba:$xs2: ReflectiveLoader 0xe8ad:$xs2: ReflectiveLoader 0xe8cf:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 6228	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 6228	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5016	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7020	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x11fb9:$xs1: WS2_32.dll 0x5505:$xs2: ReflectiveLoader 0x5527:$xs2: ReflectiveLoader 0x6ffe:$xs2: ReflectiveLoader 0x7020:$xs2: ReflectiveLoader 0xa68b:$xs2: ReflectiveLoader 0xa6ad:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 7020	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7020	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 7108	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x7215:$xs1: WS2_32.dll 0x8ac9:$xs1: WS2_32.dll 0x56d0:$xs2: ReflectiveLoader 0x56f2:$xs2: ReflectiveLoader 0x1274a:$xs2: ReflectiveLoader 0x1276c:$xs2: ReflectiveLoader 0x14465:$xs2: ReflectiveLoader 0x14487:$xs2: ReflectiveLoader
Process Memory Space: ssapst.exe PID: 7108	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 7108	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 204	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 204	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 4804	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 4804	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5952	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 1784	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 1784	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5076	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5076	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 5700	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: ssapst.exe PID: 5700	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: ssapst.exe PID: 972	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 199 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
34.3.ssapst.exe.32a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
34.3.ssapst.exe.32a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
34.3.ssapst.exe.32a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
34.3.ssapst.exe.32a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
34.3.ssapst.exe.32a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
34.3.ssapst.exe.32a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
32.3.ssapst.exe.3790000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
32.3.ssapst.exe.3790000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
32.3.ssapst.exe.3790000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
32.3.ssapst.exe.3790000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
32.3.ssapst.exe.3790000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
32.3.ssapst.exe.3790000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
18.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
18.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
18.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
18.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
18.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
18.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
18.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.3.wThN5MTIsw.exe.3170000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
35.0.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
35.0.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
35.0.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
35.0.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
35.0.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
35.0.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.wThN5MTIsw.exe.f4e0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 4E 0F 8B 35 44 A1 4E 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 4E 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 4E 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 4E 0F 8B 35 10 A1 4E 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 4E 0F C7 44 24 1C 64 F4 4E 0F C7 44 24 20 80 F4 4E 0F C7 44 24 24 A0 F4 4E 0F C7 44 24 28 BC F4 4E 0F C7 44 24 2C D8 F4 4E 0F C7 44 24 30 F0 F4 4E 0F C7 44 24 34 04 F5 4E 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 4E 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 4F 0F C7 45 B8 BC 03 4F 0F C7 45 BC ...
19.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
19.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
19.3.ssapst.exe.3520000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
19.3.ssapst.exe.3520000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
19.3.ssapst.exe.3520000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
19.3.ssapst.exe.3520000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
19.3.ssapst.exe.3520000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
19.3.ssapst.exe.3520000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
30.3.ssapst.exe.2fc0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
30.3.ssapst.exe.2fc0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
30.3.ssapst.exe.2fc0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
30.3.ssapst.exe.2fc0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
30.3.ssapst.exe.2fc0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
30.3.ssapst.exe.2fc0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
8.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
8.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
8.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
8.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
8.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
8.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
25.3.ssapst.exe.36d0000.0.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
25.3.ssapst.exe.36d0000.0.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
25.3.ssapst.exe.36d0000.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.ssapst.exe.36d0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
25.3.ssapst.exe.36d0000.0.raw.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.ssapst.exe.36d0000.0.raw.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
12.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
12.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
12.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
12.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
12.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
12.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
12.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
6.3.ssapst.exe.2f70000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
6.3.ssapst.exe.2f70000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
6.3.ssapst.exe.2f70000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.3.ssapst.exe.2f70000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
6.3.ssapst.exe.2f70000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
6.3.ssapst.exe.2f70000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
15.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
15.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xe8fe:$: DECRYPT.txt 0xe964:$: DECRYPT.txt
15.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
15.2.ssapst.exe.fe60000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
15.2.ssapst.exe.fe60000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xef91:$s1: _ReflectiveLoader@ 0xef92:$s2: ReflectiveLoader@
15.2.ssapst.exe.fe60000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xe5c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
15.2.ssapst.exe.fe60000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x48f0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 E6 0F 8B 35 44 A1 E6 0F 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4d61:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 E6 0F 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 E6 0F ... 0x61f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 E6 0F 8B 35 10 A1 E6 0F 68 ... 0x3cd3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 E6 0F C7 44 24 1C 64 F4 E6 0F C7 44 24 20 80 F4 E6 0F C7 44 24 24 A0 F4 E6 0F C7 44 24 28 BC F4 E6 0F C7 44 24 2C D8 F4 E6 0F C7 44 24 30 F0 F4 E6 0F C7 44 24 34 04 F5 E6 0F ... 0x6f70:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 E6 0F 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 E7 0F C7 45 B8 BC 03 E7 0F C7 45 BC ...
25.3.ssapst.exe.36d0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xd992:$x1: ReflectiveLoader
25.3.ssapst.exe.36d0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0xd2fe:$: DECRYPT.txt 0xd364:$: DECRYPT.txt
25.3.ssapst.exe.36d0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
25.3.ssapst.exe.36d0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xd991:$s1: _ReflectiveLoader@ 0xd992:$s2: ReflectiveLoader@
25.3.ssapst.exe.36d0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0xcfc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
25.3.ssapst.exe.36d0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x3cf0:$remote_connection_v2: 55 8B EC 83 EC 7C 53 56 8B D9 89 55 F0 57 8D 4D E8 89 5D F8 E8 37 29 00 00 E8 12 FD FF FF 53 89 45 F4 FF 15 60 A1 00 10 8B 35 44 A1 00 10 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 ... 0x4161:$crypt_files_v2: 8B 55 0C 8B 1D 48 A0 00 10 8D 04 12 89 44 24 28 8D 44 24 28 50 51 68 01 00 00 40 52 FF 75 08 FF D3 8D 04 36 89 44 24 28 8D 44 24 28 50 57 68 01 00 00 40 56 FF 74 24 1C FF D3 8B 1D 60 A1 00 10 ... 0x55f0:$find_files_v2: 55 8B EC 81 EC 68 02 00 00 53 56 57 89 55 EC 8B F9 E8 7A F9 FF FF 85 C0 0F 84 26 01 00 00 8B CF E8 8B FD FF FF 85 C0 0F 85 17 01 00 00 E8 1E FF FF FF 57 FF 15 B0 A0 00 10 8B 35 10 A1 00 10 68 ... 0x30d3:$search_antivirus_processes_v2: C7 44 24 18 48 F4 00 10 C7 44 24 1C 64 F4 00 10 C7 44 24 20 80 F4 00 10 C7 44 24 24 A0 F4 00 10 C7 44 24 28 BC F4 00 10 C7 44 24 2C D8 F4 00 10 C7 44 24 30 F0 F4 00 10 C7 44 24 34 04 F5 00 10 ... 0x6370:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 44 A1 00 10 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 AC 03 01 10 C7 45 B8 BC 03 01 10 C7 45 BC ...
32.2.ssapst.exe.fe60000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xef92:$x1: ReflectiveLoader
32.2.ssapst.exe.fe60000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
wThN5MTIsw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wThN5MTIsw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Windows Analysis Report
wThN5MTIsw.exe