Windows Analysis Report
mPNVrHIpyt.exe

Overview

General Information

Sample Name:	mPNVrHIpyt.exe
Analysis ID:	694572
MD5:	cc7ae6e4c86f605aab66fbd04eef7997
SHA1:	8c7c23c91ccecf548c6f9df30b839b9b24d57095
SHA256:	95427e787bb623ba2d2ec51cb289ae579aea27a674d900f9aa239f6a034b05cc
Tags:	exeGandCrab
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Creates multiple autostart registry keys

Contains functionality to determine the online IP of the system

Found Tor onion address

Machine Learning detection for sample

May check the online IP address of the machine

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Queries information about the installed CPU (vendor, model number etc)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to enumerate device drivers

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%	Perma Link
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%	Perma Link
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: mPNVrHIpyt.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: mPNVrHIpyt.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.wzltxa.exe.3940000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.3.wzltxa.exe.3270000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.wzltxa.exe.4010000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.3.wzltxa.exe.3b90000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.wzltxa.exe.3b20000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.wzltxa.exe.3a80000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.wzltxa.exe.2f00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.wzltxa.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.wzltxa.exe.38a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.wzltxa.exe.3a00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695860
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F694B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F694B20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F698400
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6963E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F6963E0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6982B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F6982B0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695670
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F6934F0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6953D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F6953D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	12_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	12_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	12_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	12_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

Uses 32bit PE files

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: a:

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0

Found Tor onion address

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

May check the online IP address of the machine

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/%
Source: wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wzltxa.exe, 0000001C.00000003.509113143.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510669459.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/.
Source: wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/0
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/3
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: wzltxa.exe, 0000000D.00000002.356925187.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/6
Source: wzltxa.exe, 0000000F.00000002.384119850.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/E:
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/K
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: wzltxa.exe, 00000021.00000002.566573715.0000000000758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/T
Source: wzltxa.exe, 00000012.00000002.406711705.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000003.405938163.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546525436.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Y
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Z
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/nxD
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/pxV
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/r
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/u
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698050 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_0F698050

Creates a DirectInput object (often for capturing keystrokes)

Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

System Summary

Malicious sample detected (through community Yara rule)

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691C20	0_2_0F691C20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691020	0_2_0F691020
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698520	0_2_0F698520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1C20	11_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1020	11_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8520	11_2_0FBB8520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1C20	12_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1020	12_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8520	12_2_0FBB8520

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File read: C:\Users\user\Desktop\mPNVrHIpyt.exe

Jump to behavior

Source: mPNVrHIpyt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mPNVrHIpyt.exe "C:\Users\user\Desktop\mPNVrHIpyt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@17/1@16/1

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F697490 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_0F697490

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F697B70 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,FindCloseChangeNotification,VirtualFree,

0_2_0F697B70

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cd05fa18e84d425b

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: mPNVrHIpyt.exe, type: SAMPLE
Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.470832696.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.601264865.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.505234483.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444710871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.321133700.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547067316.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.407240939.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511336369.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.580667243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.508822992.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.343145557.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

PE file contains an invalid checksum

Source: wzltxa.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1f358
Source: mPNVrHIpyt.exe	Static PE information: real checksum: 0x120f7 should be: 0x21748

Drops PE files

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F692F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0FBB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	12_2_0FBB2F50

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node

Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000F.00000002.384044865.0000000000818000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000016.00000002.443986356.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000021.00000002.566670485.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F693200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F695FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	11_2_0FBB5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	12_2_0FBB5FF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F693C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F699200 cpuid

0_2_0F699200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F697490

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
ipv4bot.whatismyipaddress.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%	Perma Link
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%	Perma Link
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: mPNVrHIpyt.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Machine Learning detection for sample

Source: mPNVrHIpyt.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.3.wzltxa.exe.3940000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.3.wzltxa.exe.3270000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 39.3.wzltxa.exe.4010000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 31.3.wzltxa.exe.3b90000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.3.wzltxa.exe.3b20000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.3.wzltxa.exe.3a80000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.3.wzltxa.exe.2f00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.3.wzltxa.exe.3640000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 28.3.wzltxa.exe.38a0000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 25.3.wzltxa.exe.3a00000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack	Avira: Label: TR/Dropper.Gen

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695860
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F694B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_0F694B20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F698400
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6963E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_0F6963E0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6982B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_0F6982B0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	0_2_0F695670
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_0F6934F0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F6953D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_0F6953D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	11_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	11_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	11_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	11_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	11_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	11_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB82B0 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB82B0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB63E0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	12_2_0FBB63E0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB4B20 EntryPoint,Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	12_2_0FBB4B20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5860 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrcatW,lstrlenW,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrcatW,lstrlenW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5860
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	12_2_0FBB34F0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB53D0 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	12_2_0FBB53D0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	12_2_0FBB8400
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5670 VirtualAlloc,VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,VirtualAlloc,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,	12_2_0FBB5670
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

Uses 32bit PE files

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: z:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: x:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: v:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: t:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: r:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: p:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: n:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: l:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: j:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: h:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: f:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: b:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: y:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: w:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: u:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: s:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: q:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: o:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: m:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: k:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: i:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: g:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: e:
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File opened: a:

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_0F696FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	11_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6FF0 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	12_2_0FBB6FF0

Found Tor onion address

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: 4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b

May check the online IP address of the machine

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/cd05fa18e84d425b
Source: wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/%
Source: wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/)
Source: wzltxa.exe, 0000001C.00000003.509113143.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510669459.00000000010D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/.
Source: wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/0
Source: wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/3
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/5
Source: wzltxa.exe, 0000000D.00000002.356925187.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000027.00000002.605442747.00000000016F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/6
Source: wzltxa.exe, 0000000F.00000002.384119850.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/E:
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/K
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/S
Source: wzltxa.exe, 00000021.00000002.566573715.0000000000758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/T
Source: wzltxa.exe, 00000012.00000002.406711705.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000003.405938163.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546525436.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Y
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/Z
Source: wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/a
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/nxD
Source: wzltxa.exe, 00000016.00000002.443945557.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/pxV
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/r
Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/u
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://tox.chat/download.html
Source: mPNVrHIpyt.exe, 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, wzltxa.exe, 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, wzltxa.exe, 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

DNS traffic detected: queries for: ipv4bot.whatismyipaddress.com

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F698050

Creates a DirectInput object (often for capturing keystrokes)

Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.407272016.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471339306.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606206614.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444732494.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511353636.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357333770.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547100256.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567450621.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344617824.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281255332.000000000F6A2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385057695.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320303150.000000000FBC2000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_0F696660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	11_2_0FBB6660
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6660 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	12_2_0FBB6660

System Summary

Malicious sample detected (through community Yara rule)

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab Payload Author: kevoreilly
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: mPNVrHIpyt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: mPNVrHIpyt.exe, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Detected potential crypto function

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691C20	0_2_0F691C20
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F691020	0_2_0F691020
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F698520	0_2_0F698520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1C20	11_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB1020	11_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB8520	11_2_0FBB8520
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1C20	12_2_0FBB1C20
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB1020	12_2_0FBB1020
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB8520	12_2_0FBB8520

Source: mPNVrHIpyt.exe	Virustotal: Detection: 84%
Source: mPNVrHIpyt.exe	Metadefender: Detection: 78%
Source: mPNVrHIpyt.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File read: C:\Users\user\Desktop\mPNVrHIpyt.exe

Jump to behavior

Source: mPNVrHIpyt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mPNVrHIpyt.exe "C:\Users\user\Desktop\mPNVrHIpyt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe "C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe"

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@17/1@16/1

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F697490

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F697B70

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=cd05fa18e84d425b

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: mPNVrHIpyt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: mPNVrHIpyt.exe, type: SAMPLE
Source: Yara match	File source: 33.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.wzltxa.exe.2fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wzltxa.exe.3b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.wzltxa.exe.3270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.wzltxa.exe.3940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.wzltxa.exe.2f00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.3.wzltxa.exe.4010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.wzltxa.exe.3640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.wzltxa.exe.3a80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.wzltxa.exe.3b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.mPNVrHIpyt.exe.3e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.wzltxa.exe.3a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mPNVrHIpyt.exe.f690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.wzltxa.exe.38a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.wzltxa.exe.fbb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000000.523518226.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.302743243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.561698093.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.606192732.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.401188568.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.485070318.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.363985954.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.539610642.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.385026266.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.471324197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.343975450.0000000003B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.264971762.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.357323149.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.320296152.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.604611550.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.405226267.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.509057598.00000000038A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.565428063.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.467592821.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.280650626.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.597821532.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.443479124.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.547433699.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.449352573.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.383675616.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.422070871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.344609197.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.567428078.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.405995868.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.470832696.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.565723232.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.601264865.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.505234483.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.469796043.0000000003A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.383072637.0000000002FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.444710871.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.321133700.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.547067316.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281249119.000000000F69A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.319280593.0000000003940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.407240939.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.356575582.0000000003270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.511336369.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.580667243.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.508822992.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.343145557.000000000FBBA000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mPNVrHIpyt.exe PID: 3592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 6128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 2156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzltxa.exe PID: 5280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

PE file contains an invalid checksum

Source: wzltxa.exe.0.dr	Static PE information: real checksum: 0x120f7 should be: 0x1f358
Source: mPNVrHIpyt.exe	Static PE information: real checksum: 0x120f7 should be: 0x21748

Drops PE files

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce imsihyxywip	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lwxsmttcgib	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce rbpjrvqzmfp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce lldeowbcwli	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mvsrloqetvq	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce pkxyauwkvet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce axlnhkgixlf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce xjlfhrnjhfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ovikprhtlzq
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce jmfyvzwgtay
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce zrmtrmmkdhu

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_0F692F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	11_2_0FBB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	12_2_0FBB2F50

Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_0F696DF0
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F696BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_0F696BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	11_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	11_2_0FBB6DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6BA0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	12_2_0FBB6BA0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB6DF0 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	12_2_0FBB6DF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	API call chain: ExitProcess graph end node

Source: mPNVrHIpyt.exe, 00000000.00000002.280964753.0000000001549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: wzltxa.exe, 0000000B.00000002.319600520.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000D.00000002.356865636.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000000F.00000002.384044865.0000000000818000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000012.00000002.406611615.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000016.00000002.443986356.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001C.00000002.510519508.0000000001098000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 0000001F.00000002.546253684.0000000001488000.00000004.00000020.00020000.00000000.sdmp, wzltxa.exe, 00000021.00000002.566670485.000000000077F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F698400 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_0F698400

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693200 lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,

0_2_0F693200

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Code function: 0_2_0F695FF0 mov eax, dword ptr fs:[00000030h]	0_2_0F695FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 11_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	11_2_0FBB5FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Code function: 12_2_0FBB5FF0 mov eax, dword ptr fs:[00000030h]	12_2_0FBB5FF0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F693C70 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_0F693C70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Code function: 0_2_0F699200 cpuid

0_2_0F699200

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\mPNVrHIpyt.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\Microsoft\wzltxa.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\mPNVrHIpyt.exe

0_2_0F697490

ID:	694572
Product:	CloudBasic
Start time:	00:06:24
Start date:	01.09.2022
Sample:	mPNVrHIpyt.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	cc7ae6e4c86f605aab66fbd04eef7997
SHA1:	8c7c23c91ccecf548c6f9df30b839b9b24d57095
SHA256:	95427e787bb623ba2d2ec51cb289ae579aea27a674d900f9aa239f6a034b05cc
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
mPNVrHIpyt.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report mPNVrHIpyt.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
mPNVrHIpyt.exe