a94a30a01d8a229e9ffa3360b5f416b13ca53fa8ff6be29bc30d3412f5b39de8

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
Size

2.4MB
MD5

0c3f9f98e0487e82524181baaf798858
SHA1

4074a27a0ec2570eb612cd39d60f5b3984063223
SHA256

a94a30a01d8a229e9ffa3360b5f416b13ca53fa8ff6be29bc30d3412f5b39de8
SHA512

37228068fd8ba61291342de9aeaa2f0d040b1d577699f6e09b7b204e408b2286eecf7b3d5d4c4fb76135ce37dfc19338ee16bdbed1848a63c40ed7875affe23d
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC2:eEtl9mRda12sX7hKB8NIyXbacAfr

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
5196	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\A:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\M:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\N:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\W:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\I:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\K:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\L:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\V:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\S:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\E:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\P:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\T:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Y:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\O:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\X:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Q:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\U:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Z:	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	C:\AUTORUN.INF	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 5196	404	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	86
PID 404 wrote to memory of 5196	404	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	86
PID 404 wrote to memory of 5196	404	2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	86

C:\Users\Admin\AppData\Local\Temp\2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_0c3f9f98e0487e82524181baaf798858_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini.exe

Filesize
2.4MB

MD5
fe3d3c42c4da550dd28084d0cb8e7464

SHA1
4618a27724375df6e4f3552b44d936ff462f7668

SHA256
1ec737d8a4f39b593a05355a1f57b0c0770a2a4741ff0098fdf28ec5ee0c0b50

SHA512
03f802c2a8e7ee07c8b3509ec4873758aea9106a525019f9b9c245e9a63ab95a5a3cf47333b8b4d235c43be378df63d73d4e3b9d67a8d49ba154d4876a6a5de3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
85a9849e3a0c0e689006a59714f59426

SHA1
57dd94c125cd583082148721c25ca7edb5f10e20

SHA256
1d9b86ff73ccf3efbc00de3666858c07293b720493cd3f1d215d57e5a2a5cc5a

SHA512
6d485c28f1700d32bb3d96e3b45fc2efc8b5daa3fabbf8df7d3e201ec9436498c3684b032c3fb4362d25ffa365177e16c625e3b9628d9f0997111cdbe07af945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3b6f7fa675ec9bb1767169a1a0ba790

SHA1
e48dc5a22f0a7431dd4dcc21e5541f94a68dafcc

SHA256
1824440b89fa30f6f9a68b21d38f085cc072e60723daeb76ede8e21bc1e03ea4

SHA512
5cc90d0a9ccc5ccda9bb5f30c37c643f625eb3b4b1bccff63b2b58dc6a5128d0c999f28398a836400da847c19775bc37fe5004e29b4e1e12619eb73acfc51207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
de1db2be84f2a8d5b04c484d42f6a1be

SHA1
d1875fad993d677c25e8708c1d9ad389802fa938

SHA256
6757a8b06b5d70e1a67a21b5bfe706c9e439e8e0d37a76aabb8c8bcca509b402

SHA512
b0202df0afdca9af8be02c3e817c64b91ac4ef214c9c8b15b3cf841a94b3d9738ae9b04a183fabf10eb0eb90e2b3165fc330f18625d2d0613d3e1c2bc0f4ae8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d27695e3d40b9185ad90f78afdae8d5a

SHA1
2176b7b2ab2ea5da3987602ceecf3f9324930b63

SHA256
08e78fb3348f46777664d04d25f405404b3becba98ff8e38b331b227d9a621fb

SHA512
62f4b0cffef0946eec7e825395fe628ece77c8dd86805dd1c35a207d5eb087660af4e8ebc72441ac3fd7260df16d26129b42a9b8c6075e16710ac3afe57dc2ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d2b37104b3c73516fcca8a0fe16f898c

SHA1
b1866699e6362e6f45949f62b1e1de9385eaa85c

SHA256
6c073f171354566dcc8cdb9ac44bf2926a533b7eb769a84ada28aecab281a4d4

SHA512
33a3e393dc5ee96536a50d779e4f3e7448aedad5858dd7ca74a800bfa6751001d8211550e427a65ce08d22b95ef4525d9c420851683b21131c8ec1c59504bd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
48348b3a402d7edf33ccbd97f40b6b7e

SHA1
cff77ee4213c13ea04124ec5ea80f14e2dbe4611

SHA256
f74da4d1bb0d74541249c4bf58eab8d1eb3c9437b503f45b2017a6a24dfdd678

SHA512
23ef3da84bbf411644ce9c1104ae0129544a53fcc098abfe7a7440f8f137b22a78cb36317722e2b3187b883eb8cac2e5708024e06c43b6e8901625b61e93be0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
95e8c368febe84def7324a7d0a654963

SHA1
a8e089283378ac692a8823bd08b8fed7ecbe933d

SHA256
4829303d908f47ac88329d2e03a061283c5c0cd4663251dc15047a287b52eae0

SHA512
61c6f7cd2c59c7219ec5fe52f1f7c18c494ce15ebbb8d5d072e4c2ed2910285fd6aceadf9541da8c8dcc736b25cbaf6221322076d8ace5195ae1e2abab620fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
be0781738331c209736f8c0ac57bb64c

SHA1
8b50c6ecf89b033474b8f13ed5788b6342e39f75

SHA256
fa9cce044e9e36a627b92d506933b3f3a38d6d18fe9009bdb90174b061a93dc6

SHA512
71201b30d967b68f54d8f8776fb02b413dc61facd9f48cb4d8b97dd9d897e44494edfc9d395de0a4afe20f45e447ba0ce7e9029034ce2e21b1a7e6df6a42ec0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ac2087e3e9f3c0fe4d1fa276fab0347a

SHA1
7a0931363c1edfadee926895e89bc9520aaa12ac

SHA256
75aff4178e3af2af2252f0e0b3db93906c54cc3aa41506a3588e14a271d729c4

SHA512
a0a8764441b9f5a2a3ca141fab8b5e2bda7a076cc02c10e9634e437531b3c22ba4879311628851c3293c7d2b6e05346d4ba2b39516ad609a5a6abcde44c9a8d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ab35456841d2449be5570c9038157a23

SHA1
05a39c264097d9bb2b154ba2b3dcb2e812f28686

SHA256
5632fca38f92205940facecbd085f0904891ade2acbd71ea5559ce26f402d381

SHA512
7d60340aebe10c7116a57a67ab17c26915ddef773ac8265c7bb04ef9c1054f0682b55f292cf309499538886d2b0fc668753264238161e50d52373cb1253dc65b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
fd7ec72ac57e47a8f5f1e446d476308d

SHA1
53ea18333cdc1001a043c83189bf01bb49d8a3f5

SHA256
84676bd4a471836412dff9e3c65c1720868c85b593ae5455c4ee86eea1a999b3

SHA512
a9c6535293c99627a2623f0b4ab683712a4920b72fc10cff9c288aafa2d2308be79fb2d2010c70f02c0c19d506e0c74399c4d95259c6d71beed2fc22fc07a825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d14e7cb0882c39df0aaa14be69ed59d8

SHA1
973161e3303f26f9eade7f0e053621b2c93b605e

SHA256
fa2954a8cbe2199a3c0721a56ed6f121adaee91959ffd70f033db1d8ce8dd9f8

SHA512
52e974f85ff97d790f0dfa82c58017a56c798e5d3ef6d6e2a65f0615138de95ffee43cda03e1ca69f9f091472e0cd92bdfb3a5e12fa8a9fb3f6c6b7c1d7c3046

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4b103bb55bafd934836e99e048e6c481

SHA1
20d6646356c59ad57dfb7da78075bdeb7c92d5d6

SHA256
5015a0d17ce94d2c68c5d66a306f82c33c7399e5dbdbf06457fe4e37c2c6baae

SHA512
4491d0953a5f2599d48ef10ce1b6869928bf931c1cbd7f06ed93d766fd4c5ffc5b3aba67a2bcecb35fb6003a39ef2fbf664e311abb121793402ac31015343e71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7bb5a1235723c670228948a1d0359d4f

SHA1
e769cc178585da0cb47c94c7e0e49680e32ec0bf

SHA256
22af6701bef8413d79f4aa8ebda64cf8df562bfe47802eaa8c8f4a593508fe2a

SHA512
d3113d5ee50c4667c43619430fa45fb36206d2e4f1a1d8ac8ad282675a8e0627e2f6b447538c39b8cb0dd089e59c42269d4937740913f99183e0e11cb37efc46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
eb1744db2a83b97f7e7a29ec4c9e5b4e

SHA1
4b0e4ec4468c3532d6a26e411c2774c51adc8c0c

SHA256
b3ea5bb2319107907d7eeb01e65e13ffefff65483a066e63d0b7e3c8e9f20c4c

SHA512
22699138693d3d5de2d2ff76a0c23b7857a911e9a2054d95144eae445316add9ce308911e5010b686413f983d8079a0a8cbe2ee3ab51005e0b83373825755c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a4bb00cb566f238daf4a0b271c1e5a2c

SHA1
74e167301361686e28ec492b1bade08f0a958e22

SHA256
1549e9ff0f36d37de32bb7ec8d680541c3384e8c1b116851873790c25e569cf4

SHA512
20c38841f7fe2d113f255d54cb6c0310f6d417b428a063ef067768d7a77ca34171d9ef91b0a03f8b08f53eee7c93a2fc58d74aa43f6a683440ecd7d941563157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5d3954ea63d3ba06eb17a774fe6d17e8

SHA1
5f60c229da290b0f17ebfab71da864e979bcff0d

SHA256
9089aed39a209aa0b7da0d3d7c33eb0f1649aa04bffcf99212bd8f50fe6ad4fd

SHA512
cb7bc3c6d1177cfdd552b1f70edadfd4ad26d5257785ac24d5d90c1e3d3bb5d866b774683c4d3c4e5897c896edba32ad05765df4853cb1faa47f3133d20a7227

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d808402faad8217ac00ff0882fec2f91

SHA1
8e527ffad57bc099fc340e4df6804ea81d66f497

SHA256
eeacf5ac06bc7417709beaec96b195767af9e7382be86baef1f649a9f676cf03

SHA512
a2d01f4d09e42e8cd083b82e8dbacc7231f669dae82c303454ee9fdd09b1b0427ef67b10c8b4fdc9d50db4be831e438240297650196bb50dde57d53600691202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99e6406542d47a4aca531311c871be5a

SHA1
6bf659ca7538ef3375b4f24046dff0402e2ce615

SHA256
c31849d8f0bb13f02f9892554c570611046bce107577c37813947a7a8de3d1e6

SHA512
2a3a4d07e07839e163bbdb4cf05d9f6ecdd8e8a1a4138819581871b8f250ab3d406411fda0d8fd42c6d916f1e2ec4f6e45193559710fabcc96e4fb2ffd6e056a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2e8839731358bd2bfc3a936b82bb6845

SHA1
664ec93d5d176f5972e8b4daf475c85bd3c68504

SHA256
8c668d601966871b52d03f2b02efbdb1988695e04b69db1b6f07328ea98b5816

SHA512
d8e1af6fbdb18f93a3cb1e68ac923f993b6d1e84a58a3989bfa28eb86c9110c55980b8890bd034dc4eeb2446e4ef31e1e7b3c8a3691c3f3979a415c66b1320a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2fad3edb775739f3b9e1d7c9daf1519d

SHA1
6f6e6df063f60d12a1110a6a0b20d787c40a171d

SHA256
3682d7fdcdee5b532d9cacc8a8df4edff987e6785e34ae024765f5cd2311f909

SHA512
3fd3d8158640bdd64fbd489989d521b77e6ae0f7261fc7de51a514fb22af12493323d189b3df9ba2a642f4ae2e590a9f156a20042bac70247251ad3e2bc19316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
478f9d5cc308fa225027750b2a3fc4fc

SHA1
3d428ab1b6b91ad55e4d9b2a47f84b89abf1ecfe

SHA256
9a1bd5e31ddeb96e73b54fd26415f8aef94d283a62d31eeab1b47c5b5bca82ee

SHA512
6613d7cb30b2ddc000d58b65b84f1faebefcb9c6a9b7a106e658da23f2f293395ab641165855223c5f9e8af20d2218ed27c0e4023ef781335c91788bc3f36b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
af34d86f1cd9eb634a2b49b278a9649c

SHA1
add1a1cf28a8cb1ac6cefbdf374f841e5174c11b

SHA256
7c45922373617afe976b126a6239d47413fe6eb9bd7ab62cd83fe93e7adde357

SHA512
fb01b86c380930ab9bd3f152b8e4e5f76ec7d4dfa5e91a212678182a9ff881f3bf6942d1c61b0be169845dc8e5d578469df13fc6ba70cc5e3ef5c926c79f20dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cc1acd81928e631f5a56032198378604

SHA1
052658d41bf48b17d555e7dc857e7423c7e117dd

SHA256
28080ec9a6095f88fbba80f088a70f55c252a1062db907ff0cb4f22f5ac99e88

SHA512
74af5b381cf131014c83afa0234bfd56bc116613301b635e063219151bf58536b4f9ce4f925e65b734af8182d52e141306ae28066c784cfb55746b42aeb63714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f604b1fd2e2456f47bcb42751571ea8f

SHA1
d8e5b444ee2c63fd37c8d79301478f73d0b0a3a9

SHA256
201cb4fcc37b2b9fce2c751acd4120daf44f7c03817e8296e32d17c1f5099bad

SHA512
8c819bddca8cba8e16d28c87d5931a8ba31ebbca03e6555709ce2016a87cc4c58e94efc05450b539040553cdcda6042e69470c3358e6d0f4d0591e95ba4d8d03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
004591f4d851611c6aa596f3010a859e

SHA1
38e4d64a4fd286714e05b6c5d4d26235664aeac8

SHA256
d32078ad0510c86a72ca6888061dc15b7013c1da5adf3ea81e8d069aa920a133

SHA512
5162f6eb53f4ef7620aa45c7fbab33041490215a17bb3baf2c9fd904b6e6a9809b3502f11f8a437281cdd9afc228b63b16e032ae16146a90026db407580cc378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
35702757fabd6b50deb004b35d24a855

SHA1
e870ce6dc9e0975666440c37330e8ed13272b2b5

SHA256
4af592917a9379ddb59c74a916f2d9120599873f19f42c62926844459c496c52

SHA512
c1c7d859ca737ef8e040854524452d3096cdf719a5c89b506c693e3137ece6ea74d1294301de269720b15df389c27e012e035f32a0a994bde11e9aef82aea2ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
573ab4c46dd01448a625e38659ffd6a3

SHA1
6172df45dbc65d321a7a764d5fc28d26ccbdc77d

SHA256
875918d6d607a72d698a844fac5557994bd7278fb6c0dce04401f0cb88b41db9

SHA512
5f33d9780fb3d3ae43dc647d4a8e80769fbf28e3df079780b01d94ae227066f5cf637a75d71533d79c2bf8c05e8f2b0ef050418eaa98eefcd75ea1415cbe5e92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
385304ed54c6fc2208b04c1c5d46d0f4

SHA1
cd94158aea2c59e533cb35066de97488a61d2bcc

SHA256
dd34b9bac983bb6318b9f7908319866dd28114beef1c335851332548fa298261

SHA512
e57e42e3bb3bcd2b7528f18013305e223001baf7b23284ce5a1b240b016990c795fe5a21de5acb390583ae7b671a0b4d315057f28f473df524d346cdda92ea07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cf3534dfce0e468e9bcc6cdf0b676be0

SHA1
7ab276bef52bd7b8e5afc8bb331aeea4aa09f13b

SHA256
8500f6db411a02a9b5a5c2698b76acbc4938768c2ce200ce0abf669fd433eba7

SHA512
6abdeead33307c1f9a144c3cbe1396604d95ebfbcb6bc75dac21d2f5bc4c44c17c8eb882e42cd25064470edbb57b664eb35dcb104546badaebefd73aadd7e5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3dbb19e618ae8c00d06b39cf77d31bae

SHA1
3176a5959084825f6366ebe69d1f21aa226d17de

SHA256
016d76856135d53fba03e7d9679b6913826a6d39074db5effe9cb81aaf144768

SHA512
a0f096cf86e76902f9513ffc0beb01417f42f79c021c6c0cfb60daacf1d2908e4da93d816d3a8a2ef8bc0959ce96673d6e0e5a3bc6750480c084439a6dd3943f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ea7bb69f91ab593cdc7b444be0f6b7c8

SHA1
64a44166650bd5c6c0e96964eb595bcbb9b4e33d

SHA256
f17c2d19ecf28931b5a4a2831296410b71d7c7f4fe3eafe71399eb0a3aee85af

SHA512
c846a6aba290a340fb9bbace23724ac997284f4c000a507eb62660f080e7790e20a0527dbade72b5ebb9ac934cf9bc8045822d3135f26e59a187eed79731eec7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
62a2cae8b05655b75d76df3524c97a78

SHA1
400703314453be582eea5bc050ba08e0ad014695

SHA256
713a6e6fb936195599f21fce5023714b8e9e750ce80240f1f1a8ab50538c4a91

SHA512
3d6760b5a01aab506a0a22e349a40bad77a64c281d3a90470ae54481f8381a8716ce0c67efd5285e95487e51d5878ee141d2e8e1bba8bd6b2b32126857a89e90

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
d815dbbd883fb0ca60366fec3446e3f5

SHA1
392fccb013d50ad1fbf7bdcd783be9bb85a48a87

SHA256
f95ab72f3dbc0f053bbf300a20d8e6c26bbab1b6812d04a6fb4770ea3bde30b8

SHA512
42ef36a40ad3993b5abc7b322c5934613d888fb9741554654564d24bd2cd27f1a1146ba1c5b62242959742cbb4fdc58be26efda931b79f74a7f9547dc1944b38

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3975168204-1612096350-4002976354-1000\desktop.ini.exe

Filesize
2.4MB

MD5
33adfbd032207ae028d3c91aaacef82f

SHA1
8a7791abceca5616b88604d943e4b55620084478

SHA256
6dc8435f47c7511418195c8a96c7bff9850e68ce17529a574e4be4a07d8b4070

SHA512
28494069b917a4444281cef0cfa1b5252af3c0ea5573dad4dc90fdaa7b6c6513b7cb4dd00059799135e9d69a7d7027b57489388d809f979d7ba0ee59cb1df70f

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.4MB

MD5
0c3f9f98e0487e82524181baaf798858

SHA1
4074a27a0ec2570eb612cd39d60f5b3984063223

SHA256
a94a30a01d8a229e9ffa3360b5f416b13ca53fa8ff6be29bc30d3412f5b39de8

SHA512
37228068fd8ba61291342de9aeaa2f0d040b1d577699f6e09b7b204e408b2286eecf7b3d5d4c4fb76135ce37dfc19338ee16bdbed1848a63c40ed7875affe23d

Download Submit
memory/404-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/404-49-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/404-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/404-1-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/5196-50-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5196-54-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/5196-6-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads