Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
250427-sppmmasyfv.bin.exe

Overview

General Information

Sample name:250427-sppmmasyfv.bin.exe
Analysis ID:1675509
MD5:1e8acce9b5a48687c4f4a087d651ea29
SHA1:1187738d7b4618376640fd0f7784fe41c0d83084
SHA256:639a920f5fcf111af3a94d8c59a272d70ac274628975d541c4fd36b834a8178a
Tags:user-UNP4CK
Infos:

Detection

Autorun
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Autorun
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates files in the recycle bin to hide itself
Drops executables to the windows directory (C:\Windows) and starts them
Checks for available system drives (often done to infect USB drives)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
May infect USB drives
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 250427-sppmmasyfv.bin.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe" MD5: 1E8ACCE9B5A48687C4F4A087D651EA29)
    • HelpMe.exe (PID: 6288 cmdline: C:\Windows\system32\HelpMe.exe MD5: 6B45FD669E9F67D0C0E69BAC98268E36)
  • HelpMe.exe (PID: 7548 cmdline: "C:\Windows\SysWOW64\HelpMe.exe" MD5: 6B45FD669E9F67D0C0E69BAC98268E36)
  • rundll32.exe (PID: 7640 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Mariposa, AutorunNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
250427-sppmmasyfv.bin.exeJoeSecurity_AutorunYara detected AutorunJoe Security
    250427-sppmmasyfv.bin.exeWindows_Ransomware_Ryuk_878bae7eIdentifies RYUK ransomwareunknown
    • 0xbb2e8:$b2: RyukReadMe.html
    • 0xbb6e4:$b2: RyukReadMe.html
    250427-sppmmasyfv.bin.exeWindows_Ransomware_Ryuk_6c726744Identifies RYUK ransomwareunknown
    • 0xbb070:$a1: 172.16.
    • 0xbb078:$a2: 192.168.
    • 0xd2cf0:$a3: DEL /F
    • 0xbb4b8:$a4: lsaas.exe
    • 0xbbfa5:$a5: delete[]
    • 0xbbfe7:$a5: delete[]
    • 0x18aede:$a5: delete[]
    • 0x18af20:$a5: delete[]
    250427-sppmmasyfv.bin.exeWindows_Ransomware_Ryuk_8ba51798Identifies RYUK ransomwareunknown
    • 0xbb4b8:$c3: lsaas.exe
    • 0xccfb0:$c4: FA_Scheduler
    • 0xc7c68:$c5: ocautoupds
    • 0xca0f8:$c6: CNTAoSMgr
    • 0xd2942:$c7: hrmlog
    • 0xbb308:$c8: UNIQUE_ID_DO_NOT_REMOVE
    • 0xbb574:$c8: UNIQUE_ID_DO_NOT_REMOVE
    • 0xd2f70:$c8: UNIQUE_ID_DO_NOT_REMOVE
    250427-sppmmasyfv.bin.exeWin32_Ransomware_RyukunknownReversingLabs
    • 0xa4428:$encrypt_files_p1: 55 8B EC 81 EC 58 02 00 00 C7 45 F8 00 00 00 00 B8 10 00 00 00 66 89 85 4C FF FF FF 6A 10 6A 00 8D 8D D4 FE FF FF 51 E8 F4 60 00 00 83 C4 0C 68 80 00 00 00 8B 55 08 52 FF 15 F0 D9 16 30 89 85 ...
    • 0xa4658:$encrypt_files_p2: 77 0E 83 7D EC 00 77 16 72 06 83 7D E8 00 77 0E C7 45 E8 D0 07 00 00 C7 45 EC 00 00 00 00 8B 4D F0 89 8D 34 FF FF FF 8B 55 F4 89 95 38 FF FF FF 83 7D F4 00 77 1C 72 06 83 7D F0 19 73 14 8B 45 ...
    • 0xa4888:$encrypt_files_p3: 6A 00 6A 00 6A 00 8B 4D FC 51 FF 15 58 D9 16 30 89 85 3C FF FF FF 83 BD 3C FF FF FF FF 75 0A B8 06 00 00 00 E9 DB 06 00 00 8D 55 F8 52 6A 01 68 10 66 00 00 8B 45 0C 50 FF 15 48 D9 16 30 85 C0 ...
    • 0xa4a10:$encrypt_files_p4: 8B 4D F4 51 8B 55 F0 52 E8 4B 65 00 00 89 45 B0 8B 45 14 89 45 C4 C7 45 DC 40 42 0F 00 C7 45 CC 00 00 00 00 C7 45 C8 00 00 00 00 C7 45 B8 40 42 0F 00 C7 45 E0 00 00 00 00 EB 09 8B 4D E0 83 C1 ...
    • 0xa4c24:$encrypt_files_p5: E9 22 FE FF FF C7 85 E8 FE FF FF 12 00 00 00 8A 0D 32 82 01 30 88 4D 94 33 D2 89 55 95 89 55 99 89 55 9D 89 55 A1 88 55 A5 6A 12 6A 00 8D 45 94 50 E8 EE 58 00 00 83 C4 0C C6 45 D4 48 C6 45 D5 ...
    • 0xa4e1c:$encrypt_files_p6: 45 FC 50 FF 15 08 D9 16 30 8B 4D F8 51 FF 15 DC D8 16 30 B8 14 00 00 00 E9 53 01 00 00 C7 45 AC 00 00 00 00 6A 00 8D 55 AC 52 8B 45 90 50 8D 8D A8 FD FF FF 51 8B 55 FC 52 FF 15 A4 D9 16 30 89 ...
    • 0xa5cf8:$remote_connection: 55 8B EC 81 EC 80 04 00 00 8B 45 08 C7 00 00 00 00 00 C7 40 04 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C8 00 00 00 00 8D 4D C4 51 6A 00 6A 00 6A 00 6A 02 E8 3A 51 00 00 89 45 A8 6A 04 68 00 10 ...
    • 0xb30bb:$find_files_p1: 8B FF 55 8B EC 51 8B 4D 08 53 57 33 DB 8D 51 02 66 8B 01 83 C1 02 66 3B C3 75 F5 8B 7D 10 2B CA D1 F9 83 C8 FF 41 2B C7 89 4D FC 3B C8 76 05 6A 0C 58 EB 57 56 8D 5F 01 03 D9 6A 02 53 E8 25 D3 ...
    • 0xb31ef:$find_files_p2: EB 03 33 C0 40 2B CB 0F B6 C0 D1 F9 41 F7 D8 68 50 02 00 00 1B C0 23 C1 89 85 A4 FD FF FF 8D 85 AC FD FF FF 57 50 E8 2E 73 FF FF 83 C4 0C 8D 85 AC FD FF FF 57 57 57 50 57 53 FF 15 88 81 01 30 ...

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\AUTORUN.INF.exeJoeSecurity_AutorunYara detected AutorunJoe Security
      C:\AUTORUN.INF.exeWindows_Ransomware_Ryuk_878bae7eIdentifies RYUK ransomwareunknown
      • 0xbb2e8:$b2: RyukReadMe.html
      • 0xbb6e4:$b2: RyukReadMe.html
      C:\AUTORUN.INF.exeWindows_Ransomware_Ryuk_6c726744Identifies RYUK ransomwareunknown
      • 0xbb070:$a1: 172.16.
      • 0xbb078:$a2: 192.168.
      • 0xd2cf0:$a3: DEL /F
      • 0xbb4b8:$a4: lsaas.exe
      • 0xbbfa5:$a5: delete[]
      • 0xbbfe7:$a5: delete[]
      • 0x18aede:$a5: delete[]
      • 0x18af20:$a5: delete[]
      C:\AUTORUN.INF.exeWindows_Ransomware_Ryuk_8ba51798Identifies RYUK ransomwareunknown
      • 0xbb4b8:$c3: lsaas.exe
      • 0xccfb0:$c4: FA_Scheduler
      • 0xc7c68:$c5: ocautoupds
      • 0xca0f8:$c6: CNTAoSMgr
      • 0xd2942:$c7: hrmlog
      • 0xbb308:$c8: UNIQUE_ID_DO_NOT_REMOVE
      • 0xbb574:$c8: UNIQUE_ID_DO_NOT_REMOVE
      • 0xd2f70:$c8: UNIQUE_ID_DO_NOT_REMOVE
      C:\ProgramData\.curlrc.exeJoeSecurity_AutorunYara detected AutorunJoe Security
        Click to see the 30 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1139948507.0000000000401000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_AutorunYara detected AutorunJoe Security
          Process Memory Space: 250427-sppmmasyfv.bin.exe PID: 7120JoeSecurity_AutorunYara detected AutorunJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.250427-sppmmasyfv.bin.exe.400000.0.unpackJoeSecurity_AutorunYara detected AutorunJoe Security

              Sigma Signatures

              System Summary

              barindex
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe, ProcessId: 7120, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Spreading
              • Networking
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Language, Device and Operating System Detection

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 250427-sppmmasyfv.bin.exeAvira: detected
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AUTORUN.INF.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\ProgramData\.curlrc.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AutoRun.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\Windows\SysWOW64\HelpMe.exeAvira: detection malicious, Label: TR/Crypt.ASPM.Gen
              Source: C:\AutoRun.exeReversingLabs: Detection: 91%
              Source: C:\Windows\SysWOW64\HelpMe.exeReversingLabs: Detection: 92%
              Source: 250427-sppmmasyfv.bin.exeVirustotal: Detection: 87%Perma Link
              Source: 250427-sppmmasyfv.bin.exeReversingLabs: Detection: 91%
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

              Spreading

              barindex
              Source: Yara matchFile source: 250427-sppmmasyfv.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-sppmmasyfv.bin.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1139948507.0000000000401000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-sppmmasyfv.bin.exe PID: 7120, type: MEMORYSTR
              Source: Yara matchFile source: C:\AUTORUN.INF.exe, type: DROPPED
              Source: Yara matchFile source: C:\ProgramData\.curlrc.exe, type: DROPPED
              Source: Yara matchFile source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPED
              Source: Yara matchFile source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPED
              Source: Yara matchFile source: C:\AutoRun.exe, type: DROPPED
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\AUTORUN.INFJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: z:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: x:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: v:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: t:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: r:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: p:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: n:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: l:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: j:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: h:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: f:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: b:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: y:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: w:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: u:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: s:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: q:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: o:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: m:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: k:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: i:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: g:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: e:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: c:Jump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeFile opened: a:Jump to behavior
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000003.1191420772.00000000028A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000002.2397231730.0000000000480000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: AUTORUN.INFC:\W
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000002.2398425183.0000000002220000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000002.2398425183.0000000002220000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INFN
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000000.1139948507.0000000000401000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: :\AUTORUN.INF
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000003.1191449570.00000000028A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000003.1191367754.00000000028A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000003.1191393925.00000000028A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
              Source: HelpMe.exe, 00000001.00000002.2398511650.00000000021B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: HelpMe.exe, 00000009.00000002.2398246376.00000000021E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INF
              Source: HelpMe.exe, 00000009.00000002.2397649835.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INFy
              Source: HelpMe.exe, 00000009.00000002.2397649835.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\AUTORUN.INFO
              Source: HelpMe.exe, 00000009.00000002.2397649835.00000000005FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\AUTORUN.INF
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: :\AUTORUN.INF
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: [autorun]
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: AUTORUN.INF
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: AUTORUN.INF(t
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: AUTORUN.INFx
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: A@p[autorun]
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe1.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe1.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe1.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe1.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: AUTORUN.INF.exe.0.drBinary or memory string: [autorun]
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INF
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: AUTORUN.INF.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: AUTORUN.INF.exe.0.drBinary or memory string: A@p[autorun]
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.exe.0.drBinary or memory string: 4'AUTORUN.INFD
              Source: .curlrc.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: .curlrc.exe.0.drBinary or memory string: [autorun]
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INF
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: .curlrc.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: .curlrc.exe.0.drBinary or memory string: A@p[autorun]
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: .curlrc.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AUTORUN.INF.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe0.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe0.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe0.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe0.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: desktop.ini.exe.0.drBinary or memory string: [autorun]
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INF
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: desktop.ini.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: desktop.ini.exe.0.drBinary or memory string: A@p[autorun]
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: desktop.ini.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: AutoRun.exe.0.drBinary or memory string: [autorun]
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INF
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: AutoRun.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: AutoRun.exe.0.drBinary or memory string: A@p[autorun]
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: AutoRun.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: :\AUTORUN.INF
              Source: HelpMe.exe.0.drBinary or memory string: [autorun]
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INF
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INF(t
              Source: HelpMe.exe.0.drBinary or memory string: AUTORUN.INFx
              Source: HelpMe.exe.0.drBinary or memory string: A@p[autorun]
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000110","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.861","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","CreateFileW","SUCCESS","0x00000120","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20200219080202.871","1748","63ca6d5db8cb42a97e67e81c98b7ffe4b342425f6a9baec9b252f8ef9b853d45","1772","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130647.999","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201024130648.010","1792","5f6f34cc1391e70f22092181b498750859fb29f2803fc280f49fa6917921a9cb","1748","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x00000118","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x000000b8","lpFileName->C:\AUTORUN.INF","dwDesiredAccess->GENERIC_READ"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.928","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","CreateFileW","SUCCESS","0x0000011c","lpFileName->C:\AUTORUN.INF.exe","dwDesiredAccess->GENERIC_READ | GENERIC_WRITE"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","DeleteFileW","FAILURE","","lpFileName->C:\AUTORUN.INF"
              Source: HelpMe.exe.0.drBinary or memory string: "20201103202142.938","1024","0fdbe35b386621441a0a7465d5d08fcec1d73acf54ab4ba5eb88d77f380a824e","1016","filesystem","MoveFileWithProgressW","FAILURE","","lpExistingFileName->C:\AUTORUN.INF.exe","lpNewFileName->C:\AUTORUN.INF"
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/cps09
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.symauth.com/rpa04
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.xcat-industries.com/forumNWebsite:
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drString found in binary or memory: http://www.xcat-industries.comD(C)opyright

              System Summary

              barindex
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Identifies RYUK ransomware Author: unknown
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Identifies RYUK ransomware Author: unknown
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk Author: ReversingLabs
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to behavior
              Source: desktop.ini.exe1.0.drStatic PE information: Number of sections : 11 > 10
              Source: HelpMe.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: desktop.ini.exe0.0.drStatic PE information: Number of sections : 11 > 10
              Source: desktop.ini.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: AUTORUN.INF.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: .curlrc.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: AutoRun.exe.0.drStatic PE information: Number of sections : 11 > 10
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: Number of sections : 11 > 10
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: OriginalFilenameantishutdown.exe vs 250427-sppmmasyfv.bin.exe
              Source: 250427-sppmmasyfv.bin.exeBinary or memory string: OriginalFilenameArmInst.dllf# vs 250427-sppmmasyfv.bin.exe
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: 250427-sppmmasyfv.bin.exe, type: SAMPLEMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\AUTORUN.INF.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\ProgramData\.curlrc.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\HelpMe.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_878bae7e os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 93a501463bb2320a9ab824d70333da2b6f635eb5958d6f8de43fde3a21de2298, id = 878bae7e-1e53-4648-93aa-b4075eef256d, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_6c726744 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = d0a4608907e48d02d78ff40a59d47cad1b9258df31b7312dd1a85f8fee2a28d5, id = 6c726744-acdb-443a-b683-b11f8b657f7a, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Windows_Ransomware_Ryuk_8ba51798 os = windows, severity = x86, description = Identifies RYUK ransomware, creation_date = 2020-04-30, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk, license = Elastic License v2, threat_name = Windows.Ransomware.Ryuk, fingerprint = 8e284bc6015502577a6ddd140b9cd110fd44d4d2cb55d0fdec5bebf3356fd7b3, id = 8ba51798-15d7-4f02-97fa-1844465ae9d8, last_modified = 2021-08-23
              Source: C:\AutoRun.exe, type: DROPPEDMatched rule: Win32_Ransomware_Ryuk tc_detection_name = Ryuk, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: HelpMe.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AutoRun.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: desktop.ini.exe1.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AUTORUN.INF.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: .curlrc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: HelpMe.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: AutoRun.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe0.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: desktop.ini.exe1.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: AUTORUN.INF.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: .curlrc.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: HelpMe.exe.0.drBinary string: \Device\PhysicalMemorySV
              Source: 250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drBinary or memory string: @P@*\AE:\vbprojects\shutdownstop\Project1.vbp
              Source: classification engineClassification label: mal100.spre.evad.winEXE@5/14@0/0
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: 250427-sppmmasyfv.bin.exeVirustotal: Detection: 87%
              Source: 250427-sppmmasyfv.bin.exeReversingLabs: Detection: 91%
              Source: 250427-sppmmasyfv.bin.exeString found in binary or memory: <InstallPath>C:\Program Files (x86)\Adobe\Reader 8.0\Reader</InstallPath>
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile read: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe "C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe"
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeProcess created: C:\Windows\SysWOW64\HelpMe.exe C:\Windows\system32\HelpMe.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\HelpMe.exe "C:\Windows\SysWOW64\HelpMe.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeProcess created: C:\Windows\SysWOW64\HelpMe.exe C:\Windows\system32\HelpMe.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Soft.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Windows\SysWOW64\HelpMe.exe
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\HelpMe.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\HelpMe.exeAutomated click: OK
              Source: 250427-sppmmasyfv.bin.exeStatic file information: File size 2569400 > 1048576
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: section name: .aspack
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: section name: .adata
              Source: 250427-sppmmasyfv.bin.exeStatic PE information: section name: .SCY
              Source: HelpMe.exe.0.drStatic PE information: section name: .aspack
              Source: HelpMe.exe.0.drStatic PE information: section name: .adata
              Source: HelpMe.exe.0.drStatic PE information: section name: .SCY
              Source: AutoRun.exe.0.drStatic PE information: section name: .aspack
              Source: AutoRun.exe.0.drStatic PE information: section name: .adata
              Source: AutoRun.exe.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe0.0.drStatic PE information: section name: .SCY
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .aspack
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .adata
              Source: desktop.ini.exe1.0.drStatic PE information: section name: .SCY
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .aspack
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .adata
              Source: AUTORUN.INF.exe.0.drStatic PE information: section name: .SCY
              Source: .curlrc.exe.0.drStatic PE information: section name: .aspack
              Source: .curlrc.exe.0.drStatic PE information: section name: .adata
              Source: .curlrc.exe.0.drStatic PE information: section name: .SCY

              Persistence and Installation Behavior

              barindex
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeExecutable created and started: C:\Windows\SysWOW64\HelpMe.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\AUTORUN.INF.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Documents and Settings\All Users\.curlrc (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\AutoRun.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Windows\SysWOW64\HelpMe.exeJump to dropped file

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValueJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile created: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\ProgramData\.curlrc.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\AUTORUN.INF.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\Documents and Settings\All Users\.curlrc (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exeJump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeDropped PE file which has not been started: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000002.2397337611.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\5
              Source: 250427-sppmmasyfv.bin.exe, 00000000.00000002.2397337611.000000000060C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-sppmmasyfv.bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\HelpMe.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure12
              Replication Through Removable Media              		2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Process Injection              		121
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job12
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Rundll32              		LSASS Memory11
              Peripheral Device Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
              Registry Run Keys / Startup Folder              		1
              Process Injection              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Hidden Files and Directories              		NTDS11
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1675509 Sample: 250427-sppmmasyfv.bin.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for dropped file 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 3 other signatures 2->31 6 250427-sppmmasyfv.bin.exe 13 2->6         started        10 HelpMe.exe 2 2->10         started        12 rundll32.exe 2->12         started        process3 file4 17 C:\Windows\SysWOW64\HelpMe.exe, PE32 6->17 dropped 19 C:\ProgramData\.curlrc.exe, PE32 6->19 dropped 21 C:\Documents and Settings\...\.curlrc (copy), PE32 6->21 dropped 23 10 other malicious files 6->23 dropped 33 Creates files in the recycle bin to hide itself 6->33 35 Creates an undocumented autostart registry key 6->35 37 Creates autorun.inf (USB autostart) 6->37 39 2 other signatures 6->39 14 HelpMe.exe 3 6->14         started        signatures5 process6 signatures7 41 Antivirus detection for dropped file 14->41 43 Multi AV Scanner detection for dropped file 14->43

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              250427-sppmmasyfv.bin.exe87%VirustotalBrowse
              250427-sppmmasyfv.bin.exe92%ReversingLabsWin32.Worm.Stihat
              250427-sppmmasyfv.bin.exe100%AviraTR/Crypt.ASPM.Gen

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AUTORUN.INF.exe100%AviraTR/Crypt.ASPM.Gen
              C:\ProgramData\.curlrc.exe100%AviraTR/Crypt.ASPM.Gen
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AutoRun.exe100%AviraTR/Crypt.ASPM.Gen
              C:\Windows\SysWOW64\HelpMe.exe100%AviraTR/Crypt.ASPM.Gen
              C:\AutoRun.exe92%ReversingLabsWin32.Worm.Stihat
              C:\Windows\SysWOW64\HelpMe.exe92%ReversingLabsWin32.Worm.Stihat

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.xcat-industries.comD(C)opyright0%Avira URL Cloudsafe
              http://www.xcat-industries.com/forumNWebsite:0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.xcat-industries.com/forumNWebsite:250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.symauth.com/rpa04250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                		high
                http://www.xcat-industries.comD(C)opyright250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.thawte.com/ThawteTimestampingCA.crl0250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                  		high
                  http://www.symauth.com/cps09250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                    		high
                    http://www.symauth.com/cps0(250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                      		high
                      http://ocsp.thawte.com0250427-sppmmasyfv.bin.exe, desktop.ini.exe1.0.dr, AUTORUN.INF.exe.0.dr, .curlrc.exe.0.dr, desktop.ini.exe0.0.dr, desktop.ini.exe.0.dr, AutoRun.exe.0.dr, HelpMe.exe.0.drfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1675509
                        Start date and time:2025-04-27 17:24:23 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 25s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:250427-sppmmasyfv.bin.exe
                        Detection:MAL
                        Classification:mal100.spre.evad.winEXE@5/14@0/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56, 4.175.87.197
                        • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:25:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
                        16:25:42AutostartRun: WinLogon Shell
                        16:25:50AutostartRun: WinLogon Shell HelpMe.exe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006834779827687
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCq:eEtl9mRda12sX7hKB8NIyXbacAfu4
                        MD5:40FDB7EB566633B29C19F4CF040028A5
                        SHA1:3D424814F4112F120BD5E5442B07132F92EA764E
                        SHA-256:6A68159FC62BC657D3FE50DFDECC0AA2280E286A49196FA0C04C2D49A24619B0
                        SHA-512:B45E70534786D55FD0793C97B15A89D159F009864E845FD38B7F25A8B746692A036864515DAEF2E65EA4E250A0ECE2C03F7982D2E9B9699C2F7E8AB494B9611E
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006834779827687
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCq:eEtl9mRda12sX7hKB8NIyXbacAfu4
                        MD5:40FDB7EB566633B29C19F4CF040028A5
                        SHA1:3D424814F4112F120BD5E5442B07132F92EA764E
                        SHA-256:6A68159FC62BC657D3FE50DFDECC0AA2280E286A49196FA0C04C2D49A24619B0
                        SHA-512:B45E70534786D55FD0793C97B15A89D159F009864E845FD38B7F25A8B746692A036864515DAEF2E65EA4E250A0ECE2C03F7982D2E9B9699C2F7E8AB494B9611E
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Avira, Detection: 100%
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006836553816437
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC6:eEtl9mRda12sX7hKB8NIyXbacAfuA
                        MD5:560C2791039D9E09BBBE26C7DC02638B
                        SHA1:7228B390DDF3DCC3609E249DBAB9E3D47C7945B3
                        SHA-256:F406AA042326E0802157B07BB6D7038215ED0973E49F0AE44E78A481A6B90440
                        SHA-512:B361C6AE768EC02B262E48993CDFF398EF6C274605FD551A53802918E7495B60259EEFC47294341798701673B0A5599907CC786E6D8D8FEB6E6D25F3F18834B3
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1001\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006836553816437
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC6:eEtl9mRda12sX7hKB8NIyXbacAfuA
                        MD5:560C2791039D9E09BBBE26C7DC02638B
                        SHA1:7228B390DDF3DCC3609E249DBAB9E3D47C7945B3
                        SHA-256:F406AA042326E0802157B07BB6D7038215ED0973E49F0AE44E78A481A6B90440
                        SHA-512:B361C6AE768EC02B262E48993CDFF398EF6C274605FD551A53802918E7495B60259EEFC47294341798701673B0A5599907CC786E6D8D8FEB6E6D25F3F18834B3
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006835131654458
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCK:eEtl9mRda12sX7hKB8NIyXbacAfug
                        MD5:CAA9284279F62C61665E2D51AB83AEE1
                        SHA1:2B7F4697E15E9C55EC65E0114BF47C0DEACB55F7
                        SHA-256:065DF1D527655F2DA57BFED9E51A6EE156527F71F8275A2E47F76C0311903336
                        SHA-512:48D93E3EB698A20C9BA2E12E29163C592F607BEDDF818F5C2893D877821785FC4259D23F6CC6E7E4D6E16AC92E3BB0CA92B2EE95482D046BE8DCCF9FA1730DAE
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570065
                        Entropy (8bit):6.006835131654458
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCK:eEtl9mRda12sX7hKB8NIyXbacAfug
                        MD5:CAA9284279F62C61665E2D51AB83AEE1
                        SHA1:2B7F4697E15E9C55EC65E0114BF47C0DEACB55F7
                        SHA-256:065DF1D527655F2DA57BFED9E51A6EE156527F71F8275A2E47F76C0311903336
                        SHA-512:48D93E3EB698A20C9BA2E12E29163C592F607BEDDF818F5C2893D877821785FC4259D23F6CC6E7E4D6E16AC92E3BB0CA92B2EE95482D046BE8DCCF9FA1730DAE
                        Malicious:true
                        Reputation:low
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AUTORUN.INF

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:Microsoft Windows Autorun file
                        Category:dropped
                        Size (bytes):145
                        Entropy (8bit):4.495390911637936
                        Encrypted:false
                        SSDEEP:3:It1KV0jkACoidYuu8koYvK3UACoieiKSHgpoYvK3UACoi0nKkACov:e1KIrOYz8kFEZrygfEZr4Jrv
                        MD5:CA13857B2FD3895A39F09D9DDE3CCA97
                        SHA1:8B78C5B2EC97C372EBDCEF92D14B0998F8DD6DD0
                        SHA-256:CFE448B4506A95B33B529EFA88F1AC704D8BDF98A941C065650EAD27609318AE
                        SHA-512:55E5B5325968D1E5314527FB2D26012F5AAE4A1C38E305417BE273400CB1C6D0C22B85BDDB501D7A5720A3F53BB5CAF6ADA8A7894232344C4F6C6EF85D226B47
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview:[autorun]..open=AutoRun.exe..shell\1=Open..shell\1\Command=AutoRun.exe..shell\2\=Browser..shell\2\Command=AutoRun.exe..shellexecute=AutoRun.exe..

                        C:\AUTORUN.INF.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2570081
                        Entropy (8bit):6.00686501170452
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC5:eEtl9mRda12sX7hKB8NIyXbacAfuP
                        MD5:419C75DF9E8BF22A215C4D98613546EE
                        SHA1:DE0606965362900B997C12F25EFEFED4ADAE0797
                        SHA-256:6BFA84B22119DE3FDBCCF67A17D8F3B1B7B2FD23479A03678636D9E4FD213357
                        SHA-512:0A14310BED0332AA98860EC17531FC68FF935AE624676B129D7EEB285EEC47FAD8CA0CA436127055BBADDF7375D96485EC4991B19DE82D7F75F3014A56552E8D
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\AUTORUN.INF.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\AUTORUN.INF.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\AUTORUN.INF.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AutoRun.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569400
                        Entropy (8bit):6.0070224944586865
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfue
                        MD5:1E8ACCE9B5A48687C4F4A087D651EA29
                        SHA1:1187738D7B4618376640FD0F7784FE41C0D83084
                        SHA-256:639A920F5FCF111AF3A94D8C59A272D70AC274628975D541C4FD36B834A8178A
                        SHA-512:CDDBE4E814F34FAC9F3AD7A5244FB1895929762288EEAE5E4185ECC65094E1F73DD4B4BE0B084126BBE0111E85D31FB4AB64CA885177C74735976A1B77AA732F
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\AutoRun.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\AutoRun.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\AutoRun.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 92%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\AutoRun.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Documents and Settings\All Users\.curlrc (copy)

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569944
                        Entropy (8bit):6.006771818484295
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCJ:eEtl9mRda12sX7hKB8NIyXbacAfuX
                        MD5:1A3A55EEA8C081AFAC024DE9866BBCD2
                        SHA1:672E3EA2621EC678BCEE13EE6AAA9E202F3192D6
                        SHA-256:5BD563097ECE80AB2A5C86D8A48E7F2997CA84B426AF7492DC97C09E008AB9A8
                        SHA-512:10C0D7816B63CCE3485231BF38D863847B3FFCBEF4513B57038FD9586DE1527D496BFCE4341AF155393A0732BC31C2AFC5E8868F8EA7BCCEAD37640E5EF93C99
                        Malicious:true
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\ProgramData\.curlrc.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2569944
                        Entropy (8bit):6.006771818484295
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCJ:eEtl9mRda12sX7hKB8NIyXbacAfuX
                        MD5:1A3A55EEA8C081AFAC024DE9866BBCD2
                        SHA1:672E3EA2621EC678BCEE13EE6AAA9E202F3192D6
                        SHA-256:5BD563097ECE80AB2A5C86D8A48E7F2997CA84B426AF7492DC97C09E008AB9A8
                        SHA-512:10C0D7816B63CCE3485231BF38D863847B3FFCBEF4513B57038FD9586DE1527D496BFCE4341AF155393A0732BC31C2AFC5E8868F8EA7BCCEAD37640E5EF93C99
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\ProgramData\.curlrc.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\ProgramData\.curlrc.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\ProgramData\.curlrc.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Sun Apr 27 14:25:16 2025, mtime=Sun Apr 27 14:27:16 2025, atime=Sun Apr 27 14:25:16 2025, length=2568613, window=hide
                        Category:modified
                        Size (bytes):1016
                        Entropy (8bit):4.62738859844296
                        Encrypted:false
                        SSDEEP:12:8umc1m/mkMpX5VSX66L6Z9QtKzRD/bjAw7mVW+UNW+UNJuNjYT8trEPn44t2YZ/P:8dz4/Q4tvAcm0+sW+sgcyEPwqyFm
                        MD5:E5A36726FD51605ECC243B3F4B295131
                        SHA1:DF540B435F22258B2D258240C014994416D95D52
                        SHA-256:B98B9395DA9597F44335B46645ECA2AE44C11E01A19A3D4633305969D3702406
                        SHA-512:84893954B9F5BB97854E2D6DBAA3A7BE2378B040BC5A963BA1EBADC72EDC0144AB89C330CBE5ED54962EEEE7BA5D932A18F51232D311C0FE61BE39DA7C2C9DBF
                        Malicious:false
                        Preview:L..................F.... .......................1'.....................?....P.O. .:i.....+00.../C:\...................V.1.....gZ9T..Windows.@......OwH.Z'{....3.......................u.W.i.n.d.o.w.s.....Z.1......Z){..SysWOW64..B......O.I.Z){....Y.....................q@..S.y.s.W.O.W.6.4.....`.2..1'..Z){ .HelpMe.exe..F......Z){.Z){..........................q@..H.e.l.p.M.e...e.x.e.......M...............-.......L....................C:\Windows\SysWOW64\HelpMe.exe....S.t.o.n.e.,.I. .h.a.t.e. .y.o.u.!.6.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.H.e.l.p.M.e...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.........)................1R..WH.....}'....`.......X.......win-my9349.......hT..CrF.f4... .8_)p?....0.......hT..CrF.f4... .8_)p?....0..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?

                        C:\Windows\SysWOW64\HelpMe.exe

                        Download File
                        Process:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2568613
                        Entropy (8bit):6.007138828163044
                        Encrypted:false
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCT:eEtl9mRda12sX7hKB8NIyXbacAfud
                        MD5:6B45FD669E9F67D0C0E69BAC98268E36
                        SHA1:6B82FC7BCCE6F0ABCE82FC64587E83869562F178
                        SHA-256:2A580788EB0FFB8CDC968A13E096EB4DD92F15BEE2F7CFBA7758BEEB8DF16EBD
                        SHA-512:B48637389865B62D72DEA4AE9B48EBD727CA7A89A65B4ECDCFCEF66AEC338D19EFBBCD41A5308A707A1FCA409961E8BF3708F4ADB150764AD6C3E8D507A7CBB7
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 92%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................h........r..................TO..............................<O......................................................CODE................................@...DATA..... ..........................@...BSS.................................@....idata...0.......&..................@....tls.........0......................@....rdata.......@......................@....reloc...p...P......................@....rsrc............r..................@....aspack..0...@...0...r..............@....adata.......p......................@....SCY.....0.......&..................`...........................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.0070224944586865
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 98.22%
                        • ASPack compressed Win32 Executable (generic) (133821/79) 1.31%
                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        File name:250427-sppmmasyfv.bin.exe
                        File size:2'569'400 bytes
                        MD5:1e8acce9b5a48687c4f4a087d651ea29
                        SHA1:1187738d7b4618376640fd0f7784fe41c0d83084
                        SHA256:639a920f5fcf111af3a94d8c59a272d70ac274628975d541c4fd36b834a8178a
                        SHA512:cddbe4e814f34fac9f3ad7a5244fb1895929762288eeae5e4185ecc65094e1f73dd4b4be0b084126bbe0111e85d31fb4ab64ca885177c74735976a1b77aa732f
                        SSDEEP:12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfue
                        TLSH:A8C55C64E610D8BAF3D6E978640E7F290CE57D110BC22D4DA49DAB241FF0EF4E5B2294
                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                        File Icon

                        Icon Hash:961e1672700f1e16

                        Static PE Info

                        General

                        Entrypoint:0x45cf80
                        Entrypoint Section:CODE
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                        DLL Characteristics:
                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:12fcd3183e0fb67f1e38925ed5c0c47c
                        Instruction
                        push ebp
                        mov ebp, esp
                        add esp, FFFFFFF0h
                        mov eax, 0045CD70h
                        call 00007F7694B00039h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        call 00007F7694B52001h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        xor edx, edx
                        call 00007F7694B51C03h
                        mov ecx, dword ptr [0045E078h]
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        mov edx, dword ptr [0045B16Ch]
                        call 00007F7694B51FF3h
                        mov eax, dword ptr [0045E1B4h]
                        mov eax, dword ptr [eax]
                        call 00007F7694B52067h
                        call 00007F7694AFDDEAh
                        nop
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, byte ptr [ebp+00000040h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor dl, byte ptr [ebx]
                        mov eax, eax
                        add al, byte ptr [eax]
                        mov eax, eax
                        add byte ptr [ebp-72FFFFC0h], cl
                        inc eax
                        add byte ptr [eax], al
                        lea eax, dword ptr [eax+00h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [ecx], ah
                        inc eax
                        add byte ptr [eax+18004022h], bl
                        inc eax
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x786d40x168.SCY
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x7200.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x74f540x8.aspack
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x74f3c0x18.aspack
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        CODE0x10000x5c0000x5c00060229906ef2855e9fa1c2f16ed3a92eeFalse0.5274923573369565data6.519414048971122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        DATA0x5d0000x20000x1400c5e6c434e0a9a3710acbd682aa4fbbf2False0.4341796875data4.056765956007262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        BSS0x5f0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata0x600000x30000x2600cd509514e3ce7c1327efbc93a9a4065eFalse0.4278371710526316data5.399540656115184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .tls0x630000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rdata0x640000x10000x200710ed322af38cc3cafbb0b107be04212False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "F"0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .reloc0x650000x70000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x6c0000x80000x72006106d30a01fb76e204dee96fb53d4a6cFalse0.22937225877192982data3.3807301517457726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .aspack0x740000x30000x3000dd153ef13ec18045ede483295a495e2bFalse0.4054361979166667data4.952046990056101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .adata0x770000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .SCY0x780000x30000x260055600674716e369a2c9a92535f91ca48False0.4323601973684211data5.590484563034503IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_CURSOR0x6cadc0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                        RT_CURSOR0x6cc100x134data0.4642857142857143
                        RT_CURSOR0x6cd440x134data0.4805194805194805
                        RT_CURSOR0x6ce780x134data0.38311688311688313
                        RT_CURSOR0x6cfac0x134data0.36038961038961037
                        RT_CURSOR0x6d0e00x134data0.4090909090909091
                        RT_CURSOR0x6d2140x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                        RT_BITMAP0x6d3480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                        RT_BITMAP0x6d5180x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                        RT_BITMAP0x6d6fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                        RT_BITMAP0x6d8cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                        RT_BITMAP0x6da9c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                        RT_BITMAP0x6dc6c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                        RT_BITMAP0x6de3c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                        RT_BITMAP0x6e00c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                        RT_BITMAP0x6e1dc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                        RT_BITMAP0x6e3ac0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                        RT_BITMAP0x6e57c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                        RT_ICON0x752ec0x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 6912ChineseTaiwan0.2595419847328244
                        RT_DIALOG0x7030c0x52data0.7682926829268293
                        RT_STRING0x703600x228data0.4782608695652174
                        RT_STRING0x705880x1d0data0.38146551724137934
                        RT_STRING0x707580x16cdata0.532967032967033
                        RT_STRING0x708c40x1fcTarga image data - Color 99 x 107 x 32 +68 +111 "z"0.4744094488188976
                        RT_STRING0x70ac00x214data0.5131578947368421
                        RT_STRING0x70cd40xecdata0.597457627118644
                        RT_STRING0x70dc00x12cdata0.5633333333333334
                        RT_STRING0x70eec0x33cdata0.4311594202898551
                        RT_STRING0x712280x3d8data0.36585365853658536
                        RT_STRING0x716000x398data0.3673913043478261
                        RT_STRING0x719980x418data0.366412213740458
                        RT_STRING0x71db00x114data0.5
                        RT_STRING0x71ec40xe4data0.5482456140350878
                        RT_STRING0x71fa80x24cdata0.477891156462585
                        RT_STRING0x721f40x3d4data0.3142857142857143
                        RT_STRING0x725c80x388data0.3661504424778761
                        RT_STRING0x729500x2d8data0.375
                        RT_RCDATA0x72c280x10data1.5
                        RT_RCDATA0x72c380x2a4data0.7322485207100592
                        RT_RCDATA0x72edc0x1c0Delphi compiled form 'TFrm_Main'0.7142857142857143
                        RT_GROUP_CURSOR0x7309c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                        RT_GROUP_CURSOR0x730b00x14Lotus unknown worksheet or configuration, revision 0x11.25
                        RT_GROUP_CURSOR0x730c40x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x730d80x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x730ec0x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x731000x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_CURSOR0x731140x14Lotus unknown worksheet or configuration, revision 0x11.3
                        RT_GROUP_ICON0x752d80x14dataChineseTaiwan1.15
                        DLLImport
                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                        user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                        advapi32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey
                        kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, UnmapViewOfFile, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LocalFree, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetSystemDirectoryA, GetStringTypeA, GetStdHandle, GetShortPathNameA, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CopyFileA, CompareStringA, CloseHandle
                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                        user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterClipboardFormatA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyCursor, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                        kernel32.dllSleep
                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                        ole32.dllOleUninitialize, OleInitialize, CoCreateInstance, CoUninitialize, CoInitialize
                        oleaut32.dllGetErrorInfo, SysFreeString
                        comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                        shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA
                        advapi32.dllSetSecurityInfo, SetEntriesInAclA, GetSecurityInfo

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        ChineseTaiwan

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        • File
                        • Registry

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:25:16
                        Start date:27/04/2025
                        Path:C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\250427-sppmmasyfv.bin.exe"
                        Imagebase:0x400000
                        File size:2'569'400 bytes
                        MD5 hash:1E8ACCE9B5A48687C4F4A087D651EA29
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: 00000000.00000000.1139948507.0000000000401000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:1
                        Start time:11:25:16
                        Start date:27/04/2025
                        Path:C:\Windows\SysWOW64\HelpMe.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\system32\HelpMe.exe
                        Imagebase:0x400000
                        File size:2'568'613 bytes
                        MD5 hash:6B45FD669E9F67D0C0E69BAC98268E36
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: JoeSecurity_Autorun, Description: Yara detected Autorun, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: Joe Security
                        • Rule: Windows_Ransomware_Ryuk_878bae7e, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_6c726744, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Windows_Ransomware_Ryuk_8ba51798, Description: Identifies RYUK ransomware, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: unknown
                        • Rule: Win32_Ransomware_Ryuk, Description: unknown, Source: C:\Windows\SysWOW64\HelpMe.exe, Author: ReversingLabs
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 92%, ReversingLabs
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:9
                        Start time:11:25:34
                        Start date:27/04/2025
                        Path:C:\Windows\SysWOW64\HelpMe.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\HelpMe.exe"
                        Imagebase:0x400000
                        File size:2'568'613 bytes
                        MD5 hash:6B45FD669E9F67D0C0E69BAC98268E36
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:Borland Delphi
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Timing Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        General

                        Target ID:10
                        Start time:11:25:42
                        Start date:27/04/2025
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        Imagebase:0x7ff7b8010000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Process Activities

                        Thread Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        System Activities

                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        No disassembly