85b71d5c18b39035112a77708078dc6b41f984f1e347fc1363ba6610986ec98f

Analysis

max time kernel
145s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
Size

2.4MB
MD5

7f85ed34c2991f73da87b61bad2e3369
SHA1

0bd33241d21ad796baf37143d57aa451db620a78
SHA256

85b71d5c18b39035112a77708078dc6b41f984f1e347fc1363ba6610986ec98f
SHA512

efbe94f8f4ea1511e9ab59b061cbd5d10661639d7e11aa63667d9b3947e489a766d75b5855c16e0f80fce5a3daa7051316ed95ffbfa3a1e13182ab5cb2e6ff79
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCU:eEtl9mRda12sX7hKB8NIyXbacAff

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
5948	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\E:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\H:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\L:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\M:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\O:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\W:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\J:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\K:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\R:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\U:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\I:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Z:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\S:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\T:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\N:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\P:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\V:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\Y:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Q:	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	C:\AUTORUN.INF	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5300 wrote to memory of 5948	5300	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	87
PID 5300 wrote to memory of 5948	5300	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	87
PID 5300 wrote to memory of 5948	5300	2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe	87

C:\Users\Admin\AppData\Local\Temp\2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_7f85ed34c2991f73da87b61bad2e3369_black-basta_darkgate_luca-stealer_rhadamanthys_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5300
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3920955164-3782810283-1225622749-1000\desktop.ini.exe

Filesize
2.4MB

MD5
b7dedfd1b8d831780d8fb1130ba87626

SHA1
66ef67e1804a606408be6fb41ba2ac27e591471a

SHA256
2810c84c83d0557354a36292c598e581067eed0f577fe0e965eefca9afb0f122

SHA512
2865d671639a8b21a184c9e9c3b7bdf8b10f34d573bb2ba5825ec34f0de421816ee2809630f08c2285dec6dbc52b0ad87d40643ce3c03077c9cd6fef6aabe3a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
389e7d92755ef8a4f5832d94d6e1c1b4

SHA1
2bdd534e1e1df43abce2d6c4c3aaa3cd865a70bf

SHA256
ca0c8add6ee9969b593512e2cadc48541fa8742f57b0de5c133eeaa4cd274526

SHA512
74b5ce812324bccdf7cf70a6922c86254190360891c862d72d3f1af4c7c08f36f8fe153ad92d894f35991ca2b2ff82eed4f13557f8bbf546bccc766ff37cd17e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c28cdd3bd5882a8fb893b60891ae7532

SHA1
dcbc1e8a8f107af9c4f284d65d1450bb36503770

SHA256
ad9164bdb61bf12c40d0592e23a8e5a45add1e9a0f6feecc1bd2286387f231f6

SHA512
2ad14fb3c96265a4f4cb7b16375b6ad0b6fb6850eac6931a5a959acf9bd5554e9c14875064fdfbddf7d20a273219127784f13abf5e17626f7f9291b5cfc42384

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
82b77922208d35bad6281040ac0a1d90

SHA1
69b8353be2c2676e8e4d5e3f2818947a2bbd6ba4

SHA256
59029fb5e50761c34eb5eb57e858596a80f8f51101155f73fa87738cf7619fa6

SHA512
2d9151bab8f580bec7a029aa91bf7662c699b44e53a64e00712dbed4d493869b6c861ca58a900f5d8d9ea9a74998880e3a27e6e4babdec7c2b6bd572bbc73f42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8224fdf8c0c37b744c10a0f8ce7329ca

SHA1
e5df002f73db397b74550a6d72dae894d0182b3c

SHA256
30577912f7b6c3bd4bb82a35d1d691572d9ec5905945a0212ab9355f8eaaa6da

SHA512
f491de0184ad3e950acffc4dbc9a3272cf9484d466e8bd6160adb036378ffd023b3a68c3f9c74649e451a637a05b182213b14f603c9aab0a82805795ae6f80ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e301f9493c2c872320d8df98aa67dfc9

SHA1
b288de0097cfcfe428169679fa31c62aef4a31f1

SHA256
a0a3ce3fdf96845854efe42d543c57abe3a75f35f5ef76a1adc65250e84f1b5f

SHA512
0f5722a7fadf8920c34b9397d042434da311ca5b60a768c684db9a8bde9f7cefe61b4a2cb8f5420521003c2ac1b63129bfaeec9fe23ed95c369762d889702b68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3e579be4e523684a7225a7775588dcd

SHA1
316d683d2a9c55fd7a1dcafcdc8fd23ca646e10b

SHA256
935cf0db89c1c18befd4f8c2ce613e1d3513d4a3bea1c97e7743eb6dc3cefd25

SHA512
772d00ea2412be53b517558921d82b24bc7a9f5ccb54b8a4d86c86e28f174ac30db6ad173b7dfcf2cdf172e9cce5694d24be0af212fe7e4ba375cd462cfb819d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b87954c4c3ee5a36b1ea3da7088f427c

SHA1
b44699be18417ae3a737b7a79dc9cefca2a3a7ab

SHA256
0f19b9c62a9b667bb7e082093df2f4a4b11ffaac10b2c73dd654aa1df525be4f

SHA512
ccc5dcb8d8418a28754f052013fe8e355de264421cd0e22887e9a028d1ba2d83e5e32571cbaee994c39ef6f791de1c9394ab1a6c0862f3db2bc62b2d3a03d435

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cfbac96477f5063cb7f9b4bab4db2522

SHA1
94f3bb739fbeac8e40b13659a6801b760d543db1

SHA256
670d4509af82ba8ed64470cb5562221b10a4c658c2abbf0806ce1208f71b4265

SHA512
1ce1c48c2736372294af5cdc70175e928d58868e30a92e57ae7eb3549bb390e154008a58841a4e624e37827bfa00ddb2631e8d745588dc7d635ebc0363126eba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3f784c158dfc371f420a26b71216f9ee

SHA1
ab399e0e46307dac67b1bf0a1d33ca8fce702c98

SHA256
e6b27056a7b74bb87556ce0b66b6b65f11b13a40943d20c328f3f88ec111ae25

SHA512
906c05772e5f36065b3744485d1fea1244790d4150c436797963a596c54962434b833b43c0335a416c6837ff463612ea8eb28d3f3bd3c7a79633d7574800c859

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7960bc71bded91acefad99398229465d

SHA1
448d70f6a5fa4d3231f8eb2555fc0d0709b6fa06

SHA256
fb84c5f351f88bc49ab7ad6f0283d99721a4284eb96658914e567b0c8db8cc9d

SHA512
dde30adf4749bf9cc303805cb07283952c63d04fc0aca060cca5f218ac8da874131c0900fe345491486512d5332543db02fb614a3b0d28f9d50fe3cde2ff0248

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
917bb6c7eaa75b0904e3a6680d1d5cfa

SHA1
08b7a8bb8cb41f65eb6364de63b5a73656766cf0

SHA256
f85470ee0e8939b3362e76ae55086330d4fc3e7d7832ab22ef312a408556d17d

SHA512
2fb0e635eda17d55324d673b03d83561cff67c39c28da3c90e7dee32f0960bfb9f55450bb2fd57cc8f178167dde00ca5375550016c170aa7cc3ae88197f52868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
37dcf2302f2b9272fcd33dadd3a3e1b2

SHA1
dcb6603d8a9b8fa7e985d819422135e6c9290759

SHA256
c16fb71b25c39ac114100a889c89d749fe28950c626a9b43143a491f626d99f0

SHA512
3adac1e144dfc468641bfab71b35933f9c9e198b81057263e257c80e20b3cc65c2555ea1e06e182016be899877018ada65dbe81b19f1b6fabf44eb4daafacfaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b457d04cfd7bf173f02ae7ebac838e5c

SHA1
157d2172f83ec760ade89873e1b644e4b9584603

SHA256
9c346c3c9f1be70c195d1f6b1a2d7b911877e962547a48915042739493edd8f8

SHA512
d3f1d53fe03fbf4ccd0c5761829163939bf0415f1038e18214ed207ffc50a2d909f156be40b43a04b1de9bc7e594c917f353ffeff24b05af36b6ddcfe27b9e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
454e093bc7450c70e5f734ec939be569

SHA1
67c00e869240147da43515d74da8e5f6ec17fac3

SHA256
d15e0b5b625db61651b74e7a2fb90bca8c761d49e7a2aaa960d1fdc7ac33af80

SHA512
3f99884c3e9f8e2b92c9e04dd73d6aab7672a2202fa5b0617fcc63d3be3693b8695fa53730416239ad069624174b6f9721c24e5c1632481735d986d7b5b88ec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
efbae7d74bca236c6f24ab77637b455a

SHA1
1f74856c3c0e2e17827e17e19752bc96edf0804a

SHA256
791f898c14e881b5f1bb3dd50897b48cd54ba1a3e34c0452936c42a74edd502d

SHA512
dba60fe87638bb113a8ef10d8bf71308f040729ed556f6f1f36b847d23dc21b6d504e88b031ef61b1367aa42c14dbb0d59c96cab05419574a70110a8fc27652a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30a3716172e4766e6e48c1d92495f261

SHA1
ce9320105a9da4693e27574d170fc6d03c3427ed

SHA256
ea481e0215d8fa0a521bf967259c8857eee1e1f07a378a329f1390a775a99024

SHA512
ff6e48f323ea4d9785759e2fd50910ec5df760cddc9b2e53619082896fdeaac206e5c9a330bccc39e4912d16b5a7ca9c02335e3b8f169d1efb5ee94444335cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1bf398c1d1cb1c23744787d8cc637df3

SHA1
f7ea03cce649d58c5142d2b546ebac1725c72505

SHA256
c7fbdbf2bab241c8567a977b3d630a1926b004ec43438eb9a49f85e21f62d1d3

SHA512
a5249b983fcf6613b3be5b842fcab8a4a8a58a072b27b9658e56f6fc9987133bdd207e396f824c1a38e5b441bbabcf5dbc487344725d136c60755aa8f27a8a50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b2091e485919800f8f40e7e3e130b896

SHA1
38c4ed3cff411f67beae94d0ab854a09ed0ea7b5

SHA256
b93412ec4b7c81506dfa4a97142553d5c0c806b62607004dea44d3da7538726b

SHA512
23ae575495b1b68551fb5f56e741278615454a339eeb22969dc5db231c62c80a9d448614a03dbe0b206bcbb54d86ec44e2b3dd99ae87dc243aa01f2f7af4344f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
021851fa014791a12e3c96390856712e

SHA1
7e3bfe1a55b17bf41fc14a851a7f953e7f02ea3a

SHA256
5cc2dc1ba55c53481be4adebf1fe65a18d882f10c045e238f65581e92516f93f

SHA512
264cc9a942db49cbd83e94b81c1d03df0e05601913b0067960055b12f50451b63ee3e68214c0bd5675604105b1070cb10d4644dbdce7aa721c4492d363ec547b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b8e401100a729666e43685935d82a2d1

SHA1
cd4d1ddfee508688fdcf4575a058e825f64dbec0

SHA256
63070d72f4ba1de47e95adcef1c3115f33b64904901057d2b690b62caa99feec

SHA512
9e17764900b3f5d420e494a2eb31715e34444bd9cced10e4acf38941fa848ddd2a98ae88d6633c53a989b2d0858a67776c5dd06cc2f373796f20e6249813729c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e0e9d387694153c5972e2bcb311c0f6d

SHA1
4db2c4dbf44c2541af10fd8b4290b2bb6fde04c3

SHA256
cd2b12af4f3d722dcf5b4c66760e50bbcd50069fcefe13ad827b245b321b7c4c

SHA512
9129dd27b18c6a629f875045e71122cd77c40331766c088ca625aa2e4d661c0d4618e373a8f32332a2321da65c9317b9338469ef07a46b87a7be7fe4e46c7cb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
732fc91d6b6fe8b07132811247b9cca7

SHA1
f50e82f612dc4f90c9940c378bd7b1d458171503

SHA256
99e051e65a74d553ef8b0f7999bd3a617786e9dff05f6bb4a8d5b3c1bb8b4cda

SHA512
742c54a9e673e2a533f2f5e6144717205846160de05edf2935cd079a1722d6bbed20c91c833049c0c349b0f471b068a651e627b3999860490da368e302ca67c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b150d19ac331e3eca2d81b56ca39fabb

SHA1
9def9d6859e66086e91982eb8f5db62855523ab2

SHA256
3bd44db9870225971008dd7cc1e33f02c5de23717e55b01989ab3c45828df0b9

SHA512
06b198800df344450409eee10f252abf9941fb6214bb7118c81c8eaef84dc8440e741ebf62ffbc3956aac45c8ca8161e657159fed8cf3d6e705bcc5483561167

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
11e119f58c258d488b19085d1042d477

SHA1
05f64daf24c1f12d2908a50b1dc6f58ee2c68618

SHA256
4fe28504ba67664ec374f876e093935d7b20548449e2c5aa8d2039a9275a9b8e

SHA512
580ae3768cddca5433737f10f03880aa01023736580b0b160c304dd0264cc145bf00e8dc6a25ce78a9832b652fd162143a33f80390ed7b7cc91ffda150cd702a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0cba17aa1c6738bb59e37bf8ce9d1197

SHA1
d5bcfde4f39c89c8d1c247b276292eb75cac159b

SHA256
eb6887ef9db90b5ccc8a8b954f0bc019b71cb774f568f90f49f19ffc9d5164a5

SHA512
35ee619b82d3be9ddfec55dc6b093440c6c6cfa365b3cf54490d7f61cd3a86bb462e56bc7098f5005379dafdc8a25e34151270c95c17234cdd1ea7e722a43935

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
35144284b979bf19babacd52a90db012

SHA1
1f79192efef45e6df3c7c58243510b340aa3a368

SHA256
30935250d5cd9880b7c5e117b2309896c4a475b44cd943bf9fae8785ba7fd777

SHA512
43b2bd114a5ab026cd258327ba20d37837c80999ace1d2f589bf382d6cd26238e408372c895cb2d34639176d6c72efdb30ba9ca5e164d3f77eabbb62b87dc4c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
712b957d0f33828b747f627a9bbeae56

SHA1
2ef1d3b13a34ff0dac0eaf2f8c3544780050b126

SHA256
ff58a88c1f93b16a11e5e1dc27447d20327c7095ab88050794871c43687f6fa6

SHA512
934bb03340e6126e85f84594f43b18555a9a22380cbb5f82f34d60768440e3bf28beb63c7ec4ca5f188890cbd1643ddc633af5d2c0669d3da10e3e236916ee0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
951ea7f41abe77990531fb4b25afa5f7

SHA1
a22b489a22bd7c5973a56001d1e066e03da9ac17

SHA256
25eab77d97364d2a0a542e33b7c527b39ccadd5ff18dca9605f4f8578c75827b

SHA512
aa56bf08cc5e9ace2605f68e13a855c80e9d2c9e09e0bdc933f50fff84680e476904b7678576d38b255ac52430938a2b6b5a23831f12afa4885ef5807ac226b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
322dd8168b5bafa70c5ac4dd6f645c85

SHA1
99166d2e6a50723e262cc0ddf5ac3bbe1da82d32

SHA256
d017907964c4fa2f147240addb6d4944779583bfca0928e953af23d5a7e710e0

SHA512
2a154e2d345b6df94d99a46af0cb48a24576f434e17a4c529f2ffee34270944c21afdd8cec1073af80c8994b4523832d9de4522eba614f27f05ac2d06d55577d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bea574313fddae87d601a8abbd2bd789

SHA1
92dfd046657a4b2da69c4ebbe518b5afdcc3f9a6

SHA256
e554717d0ef5463b72761c0c92db32c23bfcf3e951c3ac18b7536eefac6aef4a

SHA512
e3bd62cd8c164dc56dccd0df6992d8cd8501131c1ce42606c99ae2a176f1acc3906bde8f0adf03798754640992f4ebb092b6b99862825a9f4a32cc32ffcc29a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d5d078bafecf913849601414e415988d

SHA1
a865e18f661429121244e1e20d08c0baaaa3f306

SHA256
316a7ec81dc62a31b13a604bf39ce0745a383414800a1247e5aff5c935441b21

SHA512
2e02149fe289f0a893c6e4ca20792bd25137611ff38a214db6788040024ed69022e953297c0588651c78d33bde2422d662ab598b9f4b4b7a9bdfa7eac4148a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a6e2e7fddd77fbd8a16a1891d3ccba7c

SHA1
37965d43f7c3ba2574bf8da1430b29a3612fff32

SHA256
0d4e5d7780123c5838e4a4e9b5ec54a024e28ba12708d72c3fffb0f4e7bb5ab9

SHA512
98756de3a559a89bdf12168d2a94df6793bf149c03ec3e6ac90eadc69e6dd3a7cdf86b8091d8b2550cbcf32400ae8b58297bfc57db2dfa085f687ef180827c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1b8bae46bdef9b3bf4db826efba8e3e5

SHA1
5f7a7f548dfd389248da68e8bb24c6e853696660

SHA256
fc5fa93538bc8890caf442df987768c203fe6e4310650050cda0ff66d1e1db7a

SHA512
958d7415009d6d98350a7f0246abbb43d073aa2b8f082d574f00d3df1a2d84df16da563ef357f017aab192b799ccad9cf869c74c6cb39dec611f1cdf683981bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
993ca8aa51244578db53b94cdd57e84d

SHA1
c94395c843bc0281269f192b83ed95557ac4ab71

SHA256
2d39029032fefcedfd656a3dcacc7dae9f617d89c062c3252d2bc866e7415fd9

SHA512
4e1aac15dfd680f37c23f07e713487d68ecfe2d40dea6ba6407edb2278a90835947076f3a888a23812157d6e33476acaa5bca59082a528df51f3ce6c8e59c9e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c00451fa11472dda84eca6bcfdaca6bc

SHA1
6184ed1408d2f8d1cdfd5d4ac333065c1efaaefe

SHA256
7526afe2d9d3b968dc6226e8f8d4c0855122f45c09d053921c33421dcc9b0c64

SHA512
d6a4a60dab21d05ed4b6459ba7814ece4cc23d2b59fc90a81b195b533286a5c5e5335e185a82ada4b65f2e02ccbdeb9a1bd5e151c7a80c7aec54edb0fdeb6e44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8b91b994980ec6929984b36ed1218c28

SHA1
f5036ff84ebd17a5b32a2d1c46f7742872b2f99f

SHA256
1dc55d352aaecffdea588554a32b37a5d90620006149b18d63fee7138902a202

SHA512
7a15cefa6c3c7df8a9d355456f15a0977f90a32b59c37d3ba00cf666bd5c49f4467c251de2506cc7bbd1e6e828e027adcdf25f9b4f5df6b210e8d255cd769d05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
68d0b4731627959007f3ad0cfa3dd196

SHA1
870c10ce71c638c02d12cfa3ae700d752e7a964e

SHA256
442f1ade28e7c461109c896eae62a49832614e9c16336f872a0dbf9e96ca55ac

SHA512
6e501c33fae6f49839fba37e946cca097a0e128e917484fe9217873b1505d30e38d9d6907586fd09a418118ac9dce84127723701b3c3b2e0520f81f0a27eeb17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e0c3b07609e78c2712333340586748b0

SHA1
10858a8ec0073ef250989753d6132600ffe1a6d2

SHA256
6d3ba3355b44a003b14a796ca0a144936bc53d1d7a837e093c86321c6047380f

SHA512
a8fefe25b046b4c5ad8a946ff195c0f531ab001713ecbfa346644a14f029067d653750b296d6499e796ddb4b34963ce71e13af4af8e5fe5482d5a1a6bcdbcd81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8dbb62994432250448a940bb1afffae2

SHA1
6ef1d9c5a8180394f46cf3fc4e814b86cd59c684

SHA256
ec08c3e8239d2a8318e9cc0737018872bbee67b3f2bbd9b98b7cf3f07b7d3268

SHA512
2a493837ed21cc354bbd4f45d6ab2f65befa8c99bb98aae41f690f2635b38acbe002d61721381eb265e984a0a6a585574ebb9900638cdd5f3c6cc2351b2104fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
097be0c56bedc1e158f6130a57b1877f

SHA1
e641abcf21cc15e92d245652b04c162b4ee00f02

SHA256
801651e771664d3d02e3d5131c7f74de87d41f42ca4dc1f738da8e343b93c7b7

SHA512
1a766a6e35a4413babe61e00bb3a1a56497e3c45f3e5722fe6f442185282413a0c3daee080d1106727bce5ed2972d4dbf92050bb8687e03f1663c5d3c3ad2cdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
119d9537e2b7c45db877b7d225570010

SHA1
e4550c62578dabb459e992d85e16365bdf4dfdf5

SHA256
bf5022a8a978760c50386d840045519b2734da90bcd0db0c6260d54c59358e86

SHA512
13de83dff39a9b42cf072928e72beecd79c07c13e451f151346d732bf6d76084e6739ae60ed81d37ea16e5bb64ae440f4bfbddc147bb116c55e506e7ba8abc68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b717ed453df29a497aecdedd20c2ffb8

SHA1
3d7ff483790f2522da5c524afc9ddeac044cc845

SHA256
9e48319b384650651ecdbaf0b9aef6c5d8792a262d0fd1a2f5d2988d40071cb3

SHA512
fe2e9d7abbaca35c415fb4a3dbe12014b5f8269660162dad0c3f5a3960ee36fa92bfcb8329d340c22ee3952c9f0e6bd843174defadb6aab93d13a97461dd4198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c1d74e53225113e8d37981036c4993e6

SHA1
8371eae39459bcb104d8d63886eeb4efe0175b2b

SHA256
afa4903818593a5a17dadd58ce4ce3c34986173e0ec24363aa56f1833ec37c74

SHA512
b904774a89e16f37dc6ade853c18bdda05c5bce892b1805eb4a232248318a3beea667c444f1f4a2e06500c986d53c7794a611912d8ca476621c74b49f5578704

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
36f9d49aadc69e3f1f5a653cba611e26

SHA1
11fa1f2e3afa2035db41b894acb8e0ff3b960f41

SHA256
99c3e4ed54124b3a2b13ef9270e71dbc51260f52d2c261d111c9ce41974cb69e

SHA512
0721e6acb4b8f180d766378606c132076224b3587d851a6a502d28f032fb68871d55b65d954e2e1a5724fc9ecbe01cfce5cf5d9170231a69ae8e7f034c025c3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c94e115228bb9815f0c82341b4c14374

SHA1
5a270d8493bb85a30fc27d8f37bdb35fd810987a

SHA256
1ef6d89e284059edaefbd3a2b7abd598d809a5c98ac5fa9ab87522f20f0c9a38

SHA512
706b8c601d302ea237d2699338e7c102562ee7399936ea8e35bc262bf88a0be8cf9eac9017a34d8808b20c41a01a66514ec2a443f2e89577c9a774b1064ebfb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
48c52be3e4f102d58106c6ae40f6aef6

SHA1
61ded48c7f0eb84694745292161aff7abb0c93e9

SHA256
03891069b772e5915f83fc5889b80d1870eac728329d68a4925dba4b05dc4724

SHA512
d3cf3583b0607b791c8ed2507199540ae1e532c2478291570df8d84afbc153d8d3fba9660d8ba5351b12e8f8940b2aa5c103e2262483d8f724adccaed096a16d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b052fb0c082ba27fa12fcbc10384808e

SHA1
5ddadea6eeaf0054e712b3cd4a6da58c265a72ef

SHA256
b78bd52bd29e866d765e16bc669225c1038d6f9b5617cdaa7bffb98fcee73f4e

SHA512
ffd3c53db52dd312d082eda418e234053f5aaa9987cbcc3b937669998e15eb9ff72b2b0079df24c6439a6146e4558c38ac546d1f5da8d525fcac214b622a7b92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d733659e8092094829fd3e9c2b93919b

SHA1
7bf84cea610bbedeffc7575818a44b377c95c827

SHA256
64f0dba911418e69f0477ac0a3c104ec2d2287920fb8c7dbb89bcc67dacf0640

SHA512
b321517451e9580fcc1d1cf7d78b5fb9171a7ea29ee8b8f108298dfbe361a59518d087bdabae62c0b72fb8a31a4e040e97540afd716c029d7959e1084ff32704

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
36247721a112bb549285dab30c0d560c

SHA1
c520e4c00340c28b64dab3773b06afb527820f0a

SHA256
9903209bf20c994ea2262b0b3fa130d55d5cdb4ce06b1d6e026d76b2a8d73384

SHA512
c2ba8ac9f36445eee9f4939480236d47ed98b903a0e5c121bbb13aa46e04207c6bf551b7a1c394eece262d3288706b933ffdcda3bab1fa5baa7c78cffd625b90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da1cb95be20030c9fd5322e27c87b43f

SHA1
669ad882934000af37289a930c1c1bc5f5148ad8

SHA256
8150b861855eee5132a5f04623e15add7cc3d19bca679bfe061739c73f1a8bde

SHA512
2ca6a71e6d8f18bc82d0570fd2aa4f4899a6f424da92f6423ae8c9d0bb037e2299f3abea1450bd6b295be598e956fcb782ddaeb583d6be1f489e3375eef57421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5bd9f444c29593ba61e4887f8576e96a

SHA1
ef05076c0287aae0be09f7363605acf8a75d55d3

SHA256
f594182f3d71b68a172f4c7125c0dfe389afa3e14bacc9041dbbb4661b254ec8

SHA512
d9ac5f258fd279fb8f12a94eceb4ed6b4feacb7506cbc5b8bff04eb831a27f5f377f65861848f984ca081805780a63c990a75c84c93a2535b43a0526fe25fa83

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9ffda1b7f38ccb92c6f94226730050e3

SHA1
33bac57c45c65e7e8f41f8724b83ac746895c5b6

SHA256
37ddf0a08616afb9f71868a7ebe4b325e629127addee15a1c01386cf66ecc8c1

SHA512
279b3b4c2bcbc7fea7140d7bdb7f87bf37b7911a35d7b1af5a07aeb54ef29a4942a1b93512b15ce6a048db757f3d66e8267b019916947031114468c33a2f7996

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3920955164-3782810283-1225622749-1000\desktop.ini.exe

Filesize
2.4MB

MD5
2e2a262650c4e3d5c9139deaf19650dd

SHA1
a30f7c3518aaa061f0402eccb2e7e387a9a86e72

SHA256
e8d4ef2d198bc37824675a33bf43da8a17e7dd03b762014bcb1fa27143d91ed8

SHA512
d07a7adb74762fbd49829dfbf2191f1c6a22e2f781e636683a280e06a8576931fc68a10ddfa17ac87f16980759cda0eea10a2cf33fcc5a85fa502b2cba85c998

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.4MB

MD5
7f85ed34c2991f73da87b61bad2e3369

SHA1
0bd33241d21ad796baf37143d57aa451db620a78

SHA256
85b71d5c18b39035112a77708078dc6b41f984f1e347fc1363ba6610986ec98f

SHA512
efbe94f8f4ea1511e9ab59b061cbd5d10661639d7e11aa63667d9b3947e489a766d75b5855c16e0f80fce5a3daa7051316ed95ffbfa3a1e13182ab5cb2e6ff79

Download Submit
memory/5300-51-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5300-50-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5300-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5300-1-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5948-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5948-57-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/5948-6-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads