Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
250427-q9exta1yb1.bin.exe

Overview

General Information

Sample name:250427-q9exta1yb1.bin.exe
Analysis ID:1675474
MD5:c6696696451f913dc22f74439efadb19
SHA1:0e6a32e3ffc562244ef6c5e6bbe9e847068f7c30
SHA256:4eee23b77ca1c379c3cba05fca602cc6a5188fbdaca1f33c8f6e851a75851efa
Tags:user-UNP4CK
Infos:

Detection

Autorun
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Autorun
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates files in the recycle bin to hide itself
Drops executables to the windows directory (C:\Windows) and starts them
Checks for available system drives (often done to infect USB drives)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
May infect USB drives
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 250427-q9exta1yb1.bin.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe" MD5: C6696696451F913DC22F74439EFADB19)
    • HelpMe.exe (PID: 7772 cmdline: C:\Windows\system32\HelpMe.exe MD5: 6B45FD669E9F67D0C0E69BAC98268E36)
  • HelpMe.exe (PID: 736 cmdline: "C:\Windows\SysWOW64\HelpMe.exe" MD5: 6B45FD669E9F67D0C0E69BAC98268E36)
  • rundll32.exe (PID: 2848 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Mariposa, AutorunNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
250427-q9exta1yb1.bin.exeJoeSecurity_AutorunYara detected AutorunJoe Security
    250427-q9exta1yb1.bin.exeWindows_Ransomware_Ryuk_878bae7eIdentifies RYUK ransomwareunknown
    • 0xbb2e8:$b2: RyukReadMe.html
    • 0xbb6e4:$b2: RyukReadMe.html
    250427-q9exta1yb1.bin.exeWindows_Ransomware_Ryuk_6c726744Identifies RYUK ransomwareunknown
    • 0xbb070:$a1: 172.16.
    • 0xbb078:$a2: 192.168.
    • 0xd2cf0:$a3: DEL /F
    • 0xbb4b8:$a4: lsaas.exe
    • 0xbbfa5:$a5: delete[]
    • 0xbbfe7:$a5: delete[]
    • 0x18aede:$a5: delete[]
    • 0x18af20:$a5: delete[]
    250427-q9exta1yb1.bin.exeWindows_Ransomware_Ryuk_8ba51798Identifies RYUK ransomwareunknown
    • 0xbb4b8:$c3: lsaas.exe
    • 0xccfb0:$c4: FA_Scheduler
    • 0xc7c68:$c5: ocautoupds
    • 0xca0f8:$c6: CNTAoSMgr
    • 0xd2942:$c7: hrmlog
    • 0xbb308:$c8: UNIQUE_ID_DO_NOT_REMOVE
    • 0xbb574:$c8: UNIQUE_ID_DO_NOT_REMOVE
    • 0xd2f70:$c8: UNIQUE_ID_DO_NOT_REMOVE
    250427-q9exta1yb1.bin.exeWin32_Ransomware_RyukunknownReversingLabs
    • 0xa4428:$encrypt_files_p1: 55 8B EC 81 EC 58 02 00 00 C7 45 F8 00 00 00 00 B8 10 00 00 00 66 89 85 4C FF FF FF 6A 10 6A 00 8D 8D D4 FE FF FF 51 E8 F4 60 00 00 83 C4 0C 68 80 00 00 00 8B 55 08 52 FF 15 F0 D9 16 30 89 85 ...
    • 0xa4658:$encrypt_files_p2: 77 0E 83 7D EC 00 77 16 72 06 83 7D E8 00 77 0E C7 45 E8 D0 07 00 00 C7 45 EC 00 00 00 00 8B 4D F0 89 8D 34 FF FF FF 8B 55 F4 89 95 38 FF FF FF 83 7D F4 00 77 1C 72 06 83 7D F0 19 73 14 8B 45 ...
    • 0xa4888:$encrypt_files_p3: 6A 00 6A 00 6A 00 8B 4D FC 51 FF 15 58 D9 16 30 89 85 3C FF FF FF 83 BD 3C FF FF FF FF 75 0A B8 06 00 00 00 E9 DB 06 00 00 8D 55 F8 52 6A 01 68 10 66 00 00 8B 45 0C 50 FF 15 48 D9 16 30 85 C0 ...
    • 0xa4a10:$encrypt_files_p4: 8B 4D F4 51 8B 55 F0 52 E8 4B 65 00 00 89 45 B0 8B 45 14 89 45 C4 C7 45 DC 40 42 0F 00 C7 45 CC 00 00 00 00 C7 45 C8 00 00 00 00 C7 45 B8 40 42 0F 00 C7 45 E0 00 00 00 00 EB 09 8B 4D E0 83 C1 ...
    • 0xa4c24:$encrypt_files_p5: E9 22 FE FF FF C7 85 E8 FE FF FF 12 00 00 00 8A 0D 32 82 01 30 88 4D 94 33 D2 89 55 95 89 55 99 89 55 9D 89 55 A1 88 55 A5 6A 12 6A 00 8D 45 94 50 E8 EE 58 00 00 83 C4 0C C6 45 D4 48 C6 45 D5 ...
    • 0xa4e1c:$encrypt_files_p6: 45 FC 50 FF 15 08 D9 16 30 8B 4D F8 51 FF 15 DC D8 16 30 B8 14 00 00 00 E9 53 01 00 00 C7 45 AC 00 00 00 00 6A 00 8D 55 AC 52 8B 45 90 50 8D 8D A8 FD FF FF 51 8B 55 FC 52 FF 15 A4 D9 16 30 89 ...
    • 0xa5cf8:$remote_connection: 55 8B EC 81 EC 80 04 00 00 8B 45 08 C7 00 00 00 00 00 C7 40 04 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C8 00 00 00 00 8D 4D C4 51 6A 00 6A 00 6A 00 6A 02 E8 3A 51 00 00 89 45 A8 6A 04 68 00 10 ...
    • 0xb30bb:$find_files_p1: 8B FF 55 8B EC 51 8B 4D 08 53 57 33 DB 8D 51 02 66 8B 01 83 C1 02 66 3B C3 75 F5 8B 7D 10 2B CA D1 F9 83 C8 FF 41 2B C7 89 4D FC 3B C8 76 05 6A 0C 58 EB 57 56 8D 5F 01 03 D9 6A 02 53 E8 25 D3 ...
    • 0xb31ef:$find_files_p2: EB 03 33 C0 40 2B CB 0F B6 C0 D1 F9 41 F7 D8 68 50 02 00 00 1B C0 23 C1 89 85 A4 FD FF FF 8D 85 AC FD FF FF 57 50 E8 2E 73 FF FF 83 C4 0C 8D 85 AC FD FF FF 57 57 57 50 57 53 FF 15 88 81 01 30 ...

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\.curlrc.exeJoeSecurity_AutorunYara detected AutorunJoe Security
      C:\ProgramData\.curlrc.exeWindows_Ransomware_Ryuk_878bae7eIdentifies RYUK ransomwareunknown
      • 0xbb2e8:$b2: RyukReadMe.html
      • 0xbb6e4:$b2: RyukReadMe.html
      C:\ProgramData\.curlrc.exeWindows_Ransomware_Ryuk_6c726744Identifies RYUK ransomwareunknown
      • 0xbb070:$a1: 172.16.
      • 0xbb078:$a2: 192.168.
      • 0xd2cf0:$a3: DEL /F
      • 0xbb4b8:$a4: lsaas.exe
      • 0xbbfa5:$a5: delete[]
      • 0xbbfe7:$a5: delete[]
      • 0x18aede:$a5: delete[]
      • 0x18af20:$a5: delete[]
      C:\ProgramData\.curlrc.exeWindows_Ransomware_Ryuk_8ba51798Identifies RYUK ransomwareunknown
      • 0xbb4b8:$c3: lsaas.exe
      • 0xccfb0:$c4: FA_Scheduler
      • 0xc7c68:$c5: ocautoupds
      • 0xca0f8:$c6: CNTAoSMgr
      • 0xd2942:$c7: hrmlog
      • 0xbb308:$c8: UNIQUE_ID_DO_NOT_REMOVE
      • 0xbb574:$c8: UNIQUE_ID_DO_NOT_REMOVE
      • 0xd2f70:$c8: UNIQUE_ID_DO_NOT_REMOVE
      C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJoeSecurity_AutorunYara detected AutorunJoe Security
        Click to see the 30 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1140117456.0000000000401000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_AutorunYara detected AutorunJoe Security
          Process Memory Space: 250427-q9exta1yb1.bin.exe PID: 7752JoeSecurity_AutorunYara detected AutorunJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.250427-q9exta1yb1.bin.exe.400000.0.unpackJoeSecurity_AutorunYara detected AutorunJoe Security

              Sigma Signatures

              System Summary

              barindex
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe, ProcessId: 7752, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Spreading
              • Networking
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Language, Device and Operating System Detection

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 250427-q9exta1yb1.bin.exeAvira: detected
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AUTORUN.INF.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\ProgramData\.curlrc.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AutoRun.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\Windows\SysWOW64\HelpMe.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AutoRun.exeReversingLabs: Detection: 91%
              Source: C:\Windows\SysWOW64\HelpMe.exeReversingLabs: Detection: 92%
              Source: 250427-q9exta1yb1.bin.exeVirustotal: Detection: 87%Perma Link
              Source: 250427-q9exta1yb1.bin.exeReversingLabs: Detection: 91%
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

              Spreading

              barindex
              Source: Yara matchFile source: 250427-q9exta1yb1.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-q9exta1yb1.bin.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1140117456.0000000000401000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-q9exta1yb1.bin.exe PID: 7752, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\.curlrc.exe, type: DROPPED
              Source: Yara matchFile source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPED
              Source: Yara matchFile source: C:\AUTORUN.INF.exe, type: DROPPED
              Source: Yara matchFile source: C:\AutoRun.exe, type: DROPPED
              Source: Yara matchFile source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPED
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\AUTORUN.INFJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: z:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: x:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: v:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: t:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: r:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: p:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: n:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: l:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: j:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: h:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: f:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: b:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: y:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: w:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: u:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: s:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: q:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: o:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: m:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: k:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: i:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: g:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: e:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: c:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: a:Jump to behavior
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000000.1140117456.0000000000401000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: :\AUTORUN.INF
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2386122907.00000000001F0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: AUTORUN.INFC:\W
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000003.1191397007.0000000004930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2387073222.00000000022B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2387073222.00000000022B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INFN
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000003.1191450520.0000000004930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000003.1191476802.0000000004930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000003.1191422995.0000000004930000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: HelpMe.exe, 00000001.00000002.2387348712.00000000021D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: HelpMe.exe, 00000009.00000002.2386387554.000000000064B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: HelpMe.exe, 00000009.00000002.2386955865.00000000020D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: :\AUTORUN.INF
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: [autorun]
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: AUTORUN.INF
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: AUTORUN.INF(t
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: AUTORUN.INFx
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: A@p[autorun]
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe1.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe1.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: AUTORUN.INF.exe.0.drBinary or memory string: [autorun]
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INF
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: AUTORUN.INF.exe.0.drBinary or memory string: A@p[autorun]
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: @@[autorun]
              Source: AUTORUN.INF.exe.0.drBinary or memory string: 3'AUTORUN.INFD
              Source: .curlrc.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: .curlrc.exe.0.drBinary or memory string: [autorun]
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INF
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: .curlrc.exe.0.drBinary or memory string: A@p[autorun]
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe0.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe0.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: AutoRun.exe.0.drBinary or memory string: [autorun]
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INF
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: AutoRun.exe.0.drBinary or memory string: A@p[autorun]
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: HelpMe.exe.0.drBinary or memory string: [autorun]
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INF
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: HelpMe.exe.0.drBinary or memory string: A@p[autorun]
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/cps09
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/rpa04
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.xcat-industries.com/forumNWebsite:
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.xcat-industries.comD(C)opyright

              System Summary

              barindex
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to behavior
              Source: desktop.ini.exe1.0.drStatic PE information: Number of sections : 11 > 10
              Source: HelpMe.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: desktop.ini.exe0.0.drStatic PE information: Number of sections : 11 > 10
              Source: desktop.ini.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: AUTORUN.INF.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: Number of sections : 11 > 10
              Source: .curlrc.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: AutoRun.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: OriginalFilenameantishutdown.exe vs 250427-q9exta1yb1.bin.exe
              Source: 250427-q9exta1yb1.bin.exeBinary or memory string: OriginalFilenameArmInst.dllf# vs 250427-q9exta1yb1.bin.exe
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: 250427-q9exta1yb1.bin.exe, type: SAMPLEMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: HelpMe.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AutoRun.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe1.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AUTORUN.INF.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: .curlrc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: HelpMe.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: AutoRun.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe0.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe1.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: AUTORUN.INF.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: .curlrc.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: HelpMe.exe.0.drBinary string: \Device\PhysicalMemorySV
              Source: 250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drBinary or memory string: @P@*\AE:\vbprojects\shutdownstop\Project1.vbp
              Source: classification engineClassification label: mal100.spre.evad.winEXE@5/14@0/0
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Users\user\AppData\Local\Temp\BindJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: 250427-q9exta1yb1.bin.exeVirustotal: Detection: 87%
              Source: 250427-q9exta1yb1.bin.exeReversingLabs: Detection: 91%
              Source: 250427-q9exta1yb1.bin.exeString found in binary or memory: <InstallPath>C:\Program Files (x86)\Adobe\Reader 8.0\Reader</InstallPath>
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile read: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe "C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe"
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeProcess created: C:\Windows\SysWOW64\HelpMe.exe C:\Windows\system32\HelpMe.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\HelpMe.exe "C:\Windows\SysWOW64\HelpMe.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeProcess created: C:\Windows\SysWOW64\HelpMe.exe C:\Windows\system32\HelpMe.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Soft.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Windows\SysWOW64\HelpMe.exe
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\HelpMe.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\HelpMe.exeAutomated click: OK
              Source: 250427-q9exta1yb1.bin.exeStatic file information: File size 2569149 > 1048576
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: section name: .aspack
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: section name: .adata
              Source: 250427-q9exta1yb1.bin.exeStatic PE information: section name: .SCY
              Source: HelpMe.exe.0.drStatic PE information: section name: .aspack
              Source: HelpMe.exe.0.drStatic PE information: section name: .adata
              Source: HelpMe.exe.0.drStatic PE information: section name: .SCY
              Source: AutoRun.exe.0.drStatic PE information: section name: .aspack
              Source: AutoRun.exe.0.drStatic PE information: section name: .adata
              Source: AutoRun.exe.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .SCY
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .aspack
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .adata
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .SCY
              Source: .curlrc.exe.0.drStatic PE information: section name: .aspack
              Source: .curlrc.exe.0.drStatic PE information: section name: .adata
              Source: .curlrc.exe.0.drStatic PE information: section name: .SCY

              Persistence and Installation Behavior

              barindex
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeExecutable created and started: C:\Windows\SysWOW64\HelpMe.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\AUTORUN.INF.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Documents and Settings\All Users\.curlrc (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\AutoRun.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to dropped file

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValueJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\AUTORUN.INF.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\Documents and Settings\All Users\.curlrc (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2386294423.00000000004DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volum
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2386294423.00000000004DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: 250427-q9exta1yb1.bin.exe, 00000000.00000002.2386294423.00000000004DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\_}
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-q9exta1yb1.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure12
              Replication Through Removable Media              		2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Process Injection              		121
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job12
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Rundll32              		LSASS Memory11
              Peripheral Device Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		1
              Process Injection              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Hidden Files and Directories              		NTDS11
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1675474 Sample: 250427-q9exta1yb1.bin.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 3 other signatures 2->31 6 250427-q9exta1yb1.bin.exe 14 2->6         started        10 HelpMe.exe 2 2->10         started        12 rundll32.exe 2->12         started        process3 file4 17 C:\Windows\SysWOW64\HelpMe.exe, PE32 6->17 dropped 19 C:\ProgramData\.curlrc.exe, PE32 6->19 dropped 21 C:\Documents and Settings\...\.curlrc (copy), PE32 6->21 dropped 23 10 other malicious files 6->23 dropped 33 Creates files in the recycle bin to hide itself 6->33 35 Creates an undocumented autostart registry key 6->35 37 Creates autorun.inf (USB autostart) 6->37 39 2 other signatures 6->39 14 HelpMe.exe 3 6->14         started        signatures5 process6 signatures7 41 Antivirus detection for dropped file 14->41 43 Multi AV Scanner detection for dropped file 14->43

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              250427-q9exta1yb1.bin.exe88%VirustotalBrowse
              250427-q9exta1yb1.bin.exe92%ReversingLabsWin32.Worm.Stihat
              250427-q9exta1yb1.bin.exe100%AviraTR/Crypt.ASPM.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AUTORUN.INF.exe100%AviraTR/Crypt.ASPM.Gen
              C:\ProgramData\.curlrc.exe100%AviraTR/Crypt.ASPM.Gen
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AutoRun.exe100%AviraTR/Crypt.ASPM.Gen
              C:\Windows\SysWOW64\HelpMe.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AutoRun.exe92%ReversingLabsWin32.Worm.Stihat
              C:\Windows\SysWOW64\HelpMe.exe92%ReversingLabsWin32.Worm.Stihat

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.xcat-industries.comD(C)opyright0%Avira URL Cloudsafe
              http://www.xcat-industries.com/forumNWebsite:0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.xcat-industries.com/forumNWebsite:250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.symauth.com/rpa04250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                		high
                http://www.xcat-industries.comD(C)opyright250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.thawte.com/ThawteTimestampingCA.crl0250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                  		high
                  http://www.symauth.com/cps09250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                    		high
                    http://www.symauth.com/cps0(250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                      		high
                      http://ocsp.thawte.com0250427-q9exta1yb1.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1675474
                        Start date and time:2025-04-27 16:03:23 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:250427-q9exta1yb1.bin.exe
                        Detection:MAL
                        Classification:mal100.spre.evad.winEXE@5/14@0/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 184.85.78.223, 131.253.33.254, 20.12.23.50
                        • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        15:04:07Task SchedulerRun new task: {847B3D66-1DF1-414F-BCAE-2061EF3218F0} path:
                        15:04:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
                        15:04:42AutostartRun: WinLogon Shell
                        15:04:50AutostartRun: WinLogon Shell HelpMe.exe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.0067066482969205
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCn:eEtl9mRda12sX7hKB8NIyXbacAfux
                        MD5:02CD1178D21EA07E44D3CC99ED865A36
                        SHA1:4538CD2C07AF511AFEE4E07C81434EBA258CAA79
                        SHA-256:A7FD1389056B4BD3CF8C313E5C25760554049FDB1349467C025C9CF6D47DC53A
                        SHA-512:29F29102900BAAA1F416B3A5CF8FD937A57E176552668C11BD081F422E5816A6A04C5B5C448E51691D54CAAAA2683E1FCE80473AFD294585064D3FEF4F08D3CC
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.0067066482969205
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCn:eEtl9mRda12sX7hKB8NIyXbacAfux
                        MD5:02CD1178D21EA07E44D3CC99ED865A36
                        SHA1:4538CD2C07AF511AFEE4E07C81434EBA258CAA79
                        SHA-256:A7FD1389056B4BD3CF8C313E5C25760554049FDB1349467C025C9CF6D47DC53A
                        SHA-512:29F29102900BAAA1F416B3A5CF8FD937A57E176552668C11BD081F422E5816A6A04C5B5C448E51691D54CAAAA2683E1FCE80473AFD294585064D3FEF4F08D3CC
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.006707027703245
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCn:eEtl9mRda12sX7hKB8NIyXbacAfup
                        MD5:B71445709BAAF10A4423C2E1B55551B8
                        SHA1:725E2014FF52F1345114A4AE1003BC4BB0731344
                        SHA-256:84983320C3FBF64EE766D8BEA745929FF9764C9C6261F8CB6EFEF92CB613F9BD
                        SHA-512:F3DDE470436A380A65989761B4A3B25B5ABC3C5FF236A1EDA962048758EC9FFFEE4668BD759FAB87DA2EEE1B21E561509437B1565C5D38BAC818FBF7ED580AFF
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.006707027703245
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCn:eEtl9mRda12sX7hKB8NIyXbacAfup
                        MD5:B71445709BAAF10A4423C2E1B55551B8
                        SHA1:725E2014FF52F1345114A4AE1003BC4BB0731344
                        SHA-256:84983320C3FBF64EE766D8BEA745929FF9764C9C6261F8CB6EFEF92CB613F9BD
                        SHA-512:F3DDE470436A380A65989761B4A3B25B5ABC3C5FF236A1EDA962048758EC9FFFEE4668BD759FAB87DA2EEE1B21E561509437B1565C5D38BAC818FBF7ED580AFF
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.006706628438561
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCH:eEtl9mRda12sX7hKB8NIyXbacAfup
                        MD5:D0BD3C63ED4782C8A4AA3B83A379580B
                        SHA1:15B6C9B60376A986A1DEF42762394D344946BF52
                        SHA-256:56E961FF750A28D59EB4C63D30BCA41BA47637B556B1C1B475CA0CC8AB5257C4
                        SHA-512:270E800A43B8E6D63A8B1205E7C6AB97A3D9609B34F733709610F5FDCC634CFC484B6B425A019BDD166C41A6E9D22D3E2471ADD9561BD3529EE87F4C1DF1A3E7
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569814
                        Entropy (8bit):6.006706628438561
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCH:eEtl9mRda12sX7hKB8NIyXbacAfup
                        MD5:D0BD3C63ED4782C8A4AA3B83A379580B
                        SHA1:15B6C9B60376A986A1DEF42762394D344946BF52
                        SHA-256:56E961FF750A28D59EB4C63D30BCA41BA47637B556B1C1B475CA0CC8AB5257C4
                        SHA-512:270E800A43B8E6D63A8B1205E7C6AB97A3D9609B34F733709610F5FDCC634CFC484B6B425A019BDD166C41A6E9D22D3E2471ADD9561BD3529EE87F4C1DF1A3E7
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AUTORUN.INF

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:Microsoft Windows Autorun file
                        Category:dropped
                        Size (bytes):145
                        Entropy (8bit):4.495390911637936
                        Encrypted:false
                        SSDEEP:3:It1KV0jkACoidYuu8koYvK3UACoieiKSHgpoYvK3UACoi0nKkACov:e1KIrOYz8kFEZrygfEZr4Jrv
                        MD5:CA13857B2FD3895A39F09D9DDE3CCA97
                        SHA1:8B78C5B2EC97C372EBDCEF92D14B0998F8DD6DD0
                        SHA-256:CFE448B4506A95B33B529EFA88F1AC704D8BDF98A941C065650EAD27609318AE
                        SHA-512:55E5B5325968D1E5314527FB2D26012F5AAE4A1C38E305417BE273400CB1C6D0C22B85BDDB501D7A5720A3F53BB5CAF6ADA8A7894232344C4F6C6EF85D226B47
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:[autorun]..open=AutoRun.exe..shell\1=Open..shell\1\Command=AutoRun.exe..shell\2\=Browser..shell\2\Command=AutoRun.exe..shellexecute=AutoRun.exe..

                        C:\AUTORUN.INF.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569830
                        Entropy (8bit):6.006765817647318
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCP:eEtl9mRda12sX7hKB8NIyXbacAful
                        MD5:F119E8EB4B459D159F6F546A60A61D2F
                        SHA1:80B8EA0D2C9C7CBE2A7F7B2E6EA3FD7015BC7A84
                        SHA-256:818DF146EE52F6B4B0E03AF99EFCFF637EA17D6668DE6A4EC407BB4F9AA63A94
                        SHA-512:0FF12A6749D40859E6DF94B381C27FFB981EEB688FFAFC7C325F3A0DEEE9F36BB32CFEEC8C96CF91DB9925C678A39C40F35149A113FC06297950EFDD1E270835
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\AUTORUN.INF.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\AUTORUN.INF.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AutoRun.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569149
                        Entropy (8bit):6.006895872497236
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC1:eEtl9mRda12sX7hKB8NIyXbacAfu
                        MD5:C6696696451F913DC22F74439EFADB19
                        SHA1:0E6A32E3FFC562244EF6C5E6BBE9E847068F7C30
                        SHA-256:4EEE23B77CA1C379C3CBA05FCA602CC6A5188FBDACA1F33C8F6E851A75851EFA
                        SHA-512:0958696F11FC3A6BCDBC1307EC5C2B8A7C60D0DAC006D5F95B3B2EC64684E9D5E820A6B9038E7F99469FDDBBE1DC258C66CDAE760F59C949B105BF723FAF2463
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\AutoRun.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\AutoRun.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 92%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AutoRun.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Documents and Settings\All Users\.curlrc (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569693
                        Entropy (8bit):6.00664232225599
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCO:eEtl9mRda12sX7hKB8NIyXbacAfuY
                        MD5:1A1FB166E66489116F5F912D52779E09
                        SHA1:FF876D242C3EFC117F498C63EA03600C4299D436
                        SHA-256:AF88041632A4186E4964FDAF211E0833CA52D44960FC245B1EC1AF2420922232
                        SHA-512:B9FCECA8A08C4E12A790FE12E4702D6151AE9BBF6B8BB2BC56C41862E3B623CC9765C2D81496B0CB2E6D67FC12E30D77AA7D18EAC98015FEA242C1195734D45A
                        Malicious:true
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\ProgramData\.curlrc.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569693
                        Entropy (8bit):6.00664232225599
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCO:eEtl9mRda12sX7hKB8NIyXbacAfuY
                        MD5:1A1FB166E66489116F5F912D52779E09
                        SHA1:FF876D242C3EFC117F498C63EA03600C4299D436
                        SHA-256:AF88041632A4186E4964FDAF211E0833CA52D44960FC245B1EC1AF2420922232
                        SHA-512:B9FCECA8A08C4E12A790FE12E4702D6151AE9BBF6B8BB2BC56C41862E3B623CC9765C2D81496B0CB2E6D67FC12E30D77AA7D18EAC98015FEA242C1195734D45A
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\ProgramData\.curlrc.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\ProgramData\.curlrc.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Sun Apr 27 13:04:16 2025, mtime=Sun Apr 27 13:06:11 2025, atime=Sun Apr 27 13:04:16 2025, length=2568613, window=hide
                        Category:modified
                        Size (bytes):1016
                        Entropy (8bit):4.63384051624688
                        Encrypted:false
                        SSDEEP:24:88vzZUQO2PkpvAhU0+sW+sgcEw2lqyFm:88r7O2X7WrVN28yF
                        MD5:089330B828F9EF2A633B1303660137EF
                        SHA1:F9C524E0A04569B38516F007300F7B4197D36B55
                        SHA-256:8F1BBAF952DA7379DEF52ACFBC819C607F17B448B725340AFEA465D9B61F4365
                        SHA-512:1DD3BEC8FA6858D76208DFCC31527DBF1C07AC67A5FA84D69EB941D6EA63273CF83B163FF902ACE71E8B557EE2594ACF7F38DE03A3514053426F04813CD6F411
                        Malicious:false
                        Preview:L..................F.... ......B}......}......B}....1'.....................?....P.O. .:i.....+00.../C:\...................V.1.....gZ9T..Windows.@......OwH.Z.p....3.....................s...W.i.n.d.o.w.s.....Z.1......Z.p..SysWOW64..B......O.I.Z.p....Y.....................\.+.S.y.s.W.O.W.6.4.....`.2..1'..Z.p .HelpMe.exe..F......Z.p.Z.p..........................\.+.H.e.l.p.M.e...e.x.e.......M...............-.......L..............-.....C:\Windows\SysWOW64\HelpMe.exe....S.t.o.n.e.,.I. .h.a.t.e. .y.o.u.!.6.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.H.e.l.p.M.e...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.........)................1R..WH.....}'....`.......X.......node-bzg024......hT..CrF.f4... ._)p?....0.......hT..CrF.f4... ._)p?....0..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?

                        C:\Windows\SysWOW64\HelpMe.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2568613
                        Entropy (8bit):6.007138828163044
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCT:eEtl9mRda12sX7hKB8NIyXbacAfud
                        MD5:6B45FD669E9F67D0C0E69BAC98268E36
                        SHA1:6B82FC7BCCE6F0ABCE82FC64587E83869562F178
                        SHA-256:2A580788EB0FFB8CDC968A13E096EB4DD92F15BEE2F7CFBA7758BEEB8DF16EBD
                        SHA-512:B48637389865B62D72DEA4AE9B48EBD727CA7A89A65B4ECDCFCEF66AEC338D19EFBBCD41A5308A707A1FCA409961E8BF3708F4ADB150764AD6C3E8D507A7CBB7
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 92%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.006895872497236
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 98.22%
                        • ASPack compressed Win32 Executable (generic) (133821/79) 1.31%
                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        File name:250427-q9exta1yb1.bin.exe
                        File size:2'569'149 bytes
                        MD5:c6696696451f913dc22f74439efadb19
                        SHA1:0e6a32e3ffc562244ef6c5e6bbe9e847068f7c30
                        SHA256:4eee23b77ca1c379c3cba05fca602cc6a5188fbdaca1f33c8f6e851a75851efa
                        SHA512:0958696f11fc3a6bcdbc1307ec5c2b8a7c60d0dac006d5f95b3b2ec64684e9d5e820a6b9038e7f99469fddbbe1dc258c66cdae760f59c949b105bf723faf2463
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC1:eEtl9mRda12sX7hKB8NIyXbacAfu
                        TLSH:24C55C64E610D8BAF3D6E978640E7F290CE57D110BC22D4DA49DAB241FF0EF4E5B2294
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                        File Icon

                        Icon Hash:961e1672700f1e16

                        Static PE Info

                        General

                        Entrypoint:0x45cf80
                        Entrypoint Section:CODE
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        DLL Characteristics:
                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:12fcd3183e0fb67f1e38925ed5c0c47c
                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFF0h
                        mov eax, 0045CD70h
                        call 00007F88CC4707C9h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        call 00007F88CC4C2791h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        xor edx, edx
                        call 00007F88CC4C2393h
                        mov ecx, dword ptr [0045E078h]
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        mov edx, dword ptr [0045B16Ch]
                        call 00007F88CC4C2783h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        call 00007F88CC4C27F7h
                        call 00007F88CC46E57Ah
                        nop
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, byte ptr [ebp+00000040h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor dl, byte ptr [ebx]
                        mov eax, eax
                        add al, byte ptr [eax]
                        mov eax, eax
                        add byte ptr [ebp-72FFFFC0h], cl
                        inc eax
                        add byte ptr [eax], al
                        lea eax, dword ptr [eax+00h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [ecx], ah
                        inc eax
                        add byte ptr [eax+18004022h], bl
                        inc eax
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x786d40x168.SCY
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x7200.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x74f540x8.aspack
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x74f3c0x18.aspack
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        CODE0x10000x5c0000x5c00060229906ef2855e9fa1c2f16ed3a92eeFalse0.5274923573369565data6.519414048971122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        DATA0x5d0000x20000x1400c5e6c434e0a9a3710acbd682aa4fbbf2False0.4341796875data4.056765956007262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        BSS0x5f0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0x600000x30000x2600cd509514e3ce7c1327efbc93a9a4065eFalse0.4278371710526316data5.399540656115184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .tls0x630000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0x640000x10000x200710ed322af38cc3cafbb0b107be04212False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "F"0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .reloc0x650000x70000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x6c0000x80000x72006106d30a01fb76e204dee96fb53d4a6cFalse0.22937225877192982data3.3807301517457726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .aspack0x740000x30000x3000dd153ef13ec18045ede483295a495e2bFalse0.4054361979166667data4.952046990056101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .adata0x770000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .SCY0x780000x30000x260055600674716e369a2c9a92535f91ca48False0.4323601973684211data5.590484563034503IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_CURSOR0x6cadc0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                        RT_CURSOR0x6cc100x134data0.4642857142857143
                        RT_CURSOR0x6cd440x134data0.4805194805194805
                        RT_CURSOR0x6ce780x134data0.38311688311688313
                        RT_CURSOR0x6cfac0x134data0.36038961038961037
                        RT_CURSOR0x6d0e00x134data0.4090909090909091
                        RT_CURSOR0x6d2140x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                        RT_BITMAP0x6d3480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                        RT_BITMAP0x6d5180x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                        RT_BITMAP0x6d6fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                        RT_BITMAP0x6d8cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                        RT_BITMAP0x6da9c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                        RT_BITMAP0x6dc6c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                        RT_BITMAP0x6de3c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                        RT_BITMAP0x6e00c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                        RT_BITMAP0x6e1dc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                        RT_BITMAP0x6e3ac0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                        RT_BITMAP0x6e57c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                        RT_ICON0x752ec0x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 6912ChineseTaiwan0.2595419847328244
                        RT_DIALOG0x7030c0x52data0.7682926829268293
                        RT_STRING0x703600x228data0.4782608695652174
                        RT_STRING0x705880x1d0data0.38146551724137934
                        RT_STRING0x707580x16cdata0.532967032967033
                        RT_STRING0x708c40x1fcTarga image data - Color 99 x 107 x 32 +68 +111 "z"0.4744094488188976
                        RT_STRING0x70ac00x214data0.5131578947368421
                        RT_STRING0x70cd40xecdata0.597457627118644
                        RT_STRING0x70dc00x12cdata0.5633333333333334
                        RT_STRING0x70eec0x33cdata0.4311594202898551
                        RT_STRING0x712280x3d8data0.36585365853658536
                        RT_STRING0x716000x398data0.3673913043478261
                        RT_STRING0x719980x418data0.366412213740458
                        RT_STRING0x71db00x114data0.5
                        RT_STRING0x71ec40xe4data0.5482456140350878
                        RT_STRING0x71fa80x24cdata0.477891156462585
                        RT_STRING0x721f40x3d4data0.3142857142857143
                        RT_STRING0x725c80x388data0.3661504424778761
                        RT_STRING0x729500x2d8data0.375
                        RT_RCDATA0x72c280x10data1.5
                        RT_RCDATA0x72c380x2a4data0.7322485207100592
                        RT_RCDATA0x72edc0x1c0Delphi compiled form 'TFrm_Main'0.7142857142857143
                        RT_GROUP_CURSOR0x7309c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                        RT_GROUP_CURSOR0x730b00x14Lotus unknown worksheet or configuration, revision 0x11.25
                        RT_GROUP_CURSOR0x730c40x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x730d80x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x730ec0x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x731000x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x731140x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_ICON0x752d80x14dataChineseTaiwan1.15
                        DLLImport
                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                        advapi32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
                        kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, UnmapViewOfFile, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeA, GetStdHandle, GetShortPathNameA, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CopyFileA, CompareStringA, CloseHandle
                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterClipboardFormatA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyCursor, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                        kernel32.dllSleep
                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                        ole32.dllOleUninitialize, OleInitialize, CoCreateInstance, CoUninitialize, CoInitialize
                        oleaut32.dllGetErrorInfo, SysFreeString
                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                        shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA
                        advapi32.dllSetSecurityInfo, SetEntriesInAclA, GetSecurityInfo

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseTaiwan

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        • File
                        • Registry

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:10:04:15
                        Start date:27/04/2025
                        Path:C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\250427-q9exta1yb1.bin.exe"
                        Imagebase:0x400000
                        File size:2'569'149 bytes
                        MD5 hash:C6696696451F913DC22F74439EFADB19
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: 00000000.00000000.1140117456.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:1
                        Start time:10:04:16
                        Start date:27/04/2025
                        Path:C:\Windows\SysWOW64\HelpMe.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\HelpMe.exe
                        Imagebase:0x400000
                        File size:2'568'613 bytes
                        MD5 hash:6B45FD669E9F67D0C0E69BAC98268E36
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 92%, ReversingLabs
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:9
                        Start time:10:04:34
                        Start date:27/04/2025
                        Path:C:\Windows\SysWOW64\HelpMe.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\HelpMe.exe"
                        Imagebase:0x400000
                        File size:2'568'613 bytes
                        MD5 hash:6B45FD669E9F67D0C0E69BAC98268E36
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:10
                        Start time:10:04:42
                        Start date:27/04/2025
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        Imagebase:0x7ff6c4600000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Thread Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        No disassembly