Malware Analysis Report

2025-01-22 20:13

Sample ID 241016-x5mkes1gnq
Target 42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb
SHA256 42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb
Tags
aspackv2 discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb

Threat Level: Known bad

The file 42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb was found to be: Known bad.

Malicious Activity Summary

aspackv2 discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Executes dropped EXE

ASPack v2.12-2.42

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:26

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:26

Reported

2024-10-16 19:27

Platform

win7-20241010-en

Max time kernel

56s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe

"C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2304-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 3ff674dcf5aaa44b343cfafb5721aaa4
SHA1 562b2c9310e9d0233c84e1bffe314b40650c2b19
SHA256 10e22ebba35a0e4ac92b10b38bf57866e642fbfee80d7cdeca5ebddf37a6a281
SHA512 abe2fb088b8fc699ffc1228d4a5422bae785ad1ea0bf489e192108cd1a7ae8cd8608d50da192ddb606c33c32a9ae51a99bc315c91a918ad0b8065f0987d168dc

memory/2236-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

MD5 ed76a2b81f45b9b7d1b4756a2c68541c
SHA1 44eac53ffc8ceed045cfe78a614a823ff3a6d978
SHA256 25b57bae6d4af3e40cf4f3067a8a140c96905336d509065df6e398fbee103d49
SHA512 ede3d0b7752f39eaf4987963e41bb75b618afbd271ab767264f4ebeb72503b1fe9d01a06357fa5dc9a095c265779d237b70340128a18c37ce9bc396372a20f33

F:\AutoRun.exe

MD5 a61c7d08b137853b943ebe798858b8aa
SHA1 f5fd59dda3131259c3708ef42253681fb9108e9a
SHA256 42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb
SHA512 5de58f9301046f9f77d460eeba3b76032ac5855e95697e882a20e12d96166149e69c6c6318bbc7115f355aa18a043e3d14ead9ae17e85a1230345f8f39ab8ed5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2304-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbbebdc0022f472ac62ff2a8bce19203
SHA1 52b5c10fa700d92c338befc0dd8f61e6b34b09d7
SHA256 0b4ea43798edf3e09df49dfc380790f29462a07473a0684f8c429fa06715e153
SHA512 e7137685b01eb3cc7f6995ade6a54340d42697b9e5d1d40a4269b3b0f5f0da8ee2c9b4ea6a11d8e8b375fbe2f74d14c8916e5d418fff5e32853bc765dcaac753

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f73cfee28cb9ecf31b1a97ca0e5e98ef
SHA1 9826373a9a1d7677b9518d49df96356faa332451
SHA256 e94e580784074ae52da3159ccde58666348169b783600f5569aa90eb66b96d2d
SHA512 988d8efdb7a7ffa287febd7a2a8d1fe20f9355fe90b3d2ea608f70f1c10ec760bc0a1a659d29a2d2c60abe5953b3aaae568f84ae4c3763f5fd6cc8c9ee041d30

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:26

Reported

2024-10-16 19:27

Platform

win10v2004-20241007-en

Max time kernel

55s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe

"C:\Users\Admin\AppData\Local\Temp\42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3612-0-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3ff674dcf5aaa44b343cfafb5721aaa4
SHA1 562b2c9310e9d0233c84e1bffe314b40650c2b19
SHA256 10e22ebba35a0e4ac92b10b38bf57866e642fbfee80d7cdeca5ebddf37a6a281
SHA512 abe2fb088b8fc699ffc1228d4a5422bae785ad1ea0bf489e192108cd1a7ae8cd8608d50da192ddb606c33c32a9ae51a99bc315c91a918ad0b8065f0987d168dc

memory/4336-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.exe

MD5 09a154420be9de8c3861dea4d1332532
SHA1 8247e724e274b644eb8ebb860f573b17f7e9df31
SHA256 1100f68b865c25eab6fa9f1c1b2e0c5ca586f84c35cd81dc50cd9ab268ac9e1c
SHA512 ea4311f72bb59350818af06a3efc728c5e7f8b6588a3b39096ed6755381114c668759feb63e53ce38395f08cb8e6679bec424d863bef18b774e34f946a0ce85a

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 a61c7d08b137853b943ebe798858b8aa
SHA1 f5fd59dda3131259c3708ef42253681fb9108e9a
SHA256 42362d8a90c31166731fca48845f2cb19f52fcc924ca3402d369206d0bd71feb
SHA512 5de58f9301046f9f77d460eeba3b76032ac5855e95697e882a20e12d96166149e69c6c6318bbc7115f355aa18a043e3d14ead9ae17e85a1230345f8f39ab8ed5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3612-45-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbc2a61b59793287295d1650a4c70829
SHA1 8316263a6e2a4612acb8c755e7beb4d2a2c11a6f
SHA256 7a5a59c9ddb646b22e6c1586188d8a0e97cae1220a11ad417966b8b997645a8c
SHA512 e1c1d8b788f9b39799b010157c284ac07cd123375444b0aedff472fc58bfc45f2cf3d5d5c35d368698ae13e4cb2055952a982fba53e5257c2a79dfa7fbdb5937

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 107e45ddfe19dccbfc252f5244028978
SHA1 fecc2bd72b69a1c2742f772da57d3772f643972f
SHA256 2634833bcb622a4af766d3e34ef3f96e493dc0707205cce1c6f74584f191bc50
SHA512 3228e95df56ced1c251568ab3c93294354179f4753231ec12ac55004bbfe3424a52a2c36dcfcf4854a9ce058f0191682bca77bf4913e62096cede599f388de1f

memory/4336-52-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b54a593ae1ca705521e7141ccbe2dd16
SHA1 557391964a381f061ff04583aa5d4d23ebd48807
SHA256 d43c25db54a012e294d376119315b1d5a2eb963649011233a8c032fd83678f6f
SHA512 80965aca3dd922dd6a9ae8a06a028c5cb356de9a5244282978a6b7064a4f1ed6eb8b3918d674adb5130764d0487ffaf4525f2cbcd1ab9aa368ae09ece3f4c0d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 31a8a9845889549dac84e3abe2d8391c
SHA1 d784802f692b1ac408d13d521546a0d91af627e4
SHA256 f98f70eee6d3d62a55937859916523d17e54439ddf830ffcd4b1453222d6348a
SHA512 06c37a1799949b6803bce11fc4ca29fd4c425bf2be50860b32237d4609e83b9b92e51a889fd1c0f45c62e567727f6fadc82609f7aa4a53b50b07a4a09be94ed4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a63facb239a78e1276f366aaf935238
SHA1 3fb6b13906965282eb7ecda00d753811991a9d0e
SHA256 884f317ec321daef1f2a248eee895bea6b477dc52b3268bad603d3e994770968
SHA512 703c02d729cff73c5062315400166004c2fe44f97bf537a96efb5b9a4f27ed70b905d370accf207e9b7ef4a56d7303f65f0c91dde41c3081f1cd92ce244af34d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 632e47141c13e90eff293e2b8abf854d
SHA1 45d78d27d5f989e624b3d070d271e1b34bca1f72
SHA256 b370e901173d4d3f14fb2ce5d28ab8ec5a382760bc10da38cd88317afc9af327
SHA512 325cf265b2e2d1ae86581465074f4122c648d968f1e3c2684d4445eabe050380c1eda6301236dece29c4042dcf6e456c2bf1b8e02f5c3f636f5e7fd8a8683bc7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc642287ab544d5223b1c0d91d38f689
SHA1 4ae105f433bdacfd4e571c6fd9fa3c52aaf544cf
SHA256 4a9b67898809405369caa61fde342a0d45dc025512e06ceebd54fa0f555e9e5f
SHA512 8a6de1f84570a76911fc3e52d15e384cfd2402ba6d884aaa93eda08b368f4f1d0ade1ebd8ff50e76b89398e157955c26df1a8e85139cd943f9c8a4c97a5aa16e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f974262fab62182fe8c929237fde27e
SHA1 0268901c1e69507c60aec9fc8f18042f9f299bbf
SHA256 45ff8a5e55bdd87dbb26dad6e1652f4e7a2680a387690d367a315ca8f14f71f5
SHA512 2f0fdbf9ab5ba12f6c45ca31c1ef73752566bd07005cb88cd84d3134912e2f65ae0e56f365e23f9afefb15c898bc57d46e5bde56dc928e45367dbdf6d6785f0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48e8ac7bee76fdbeae2b8b0d28deca81
SHA1 0e327bdecd6f023273a1c80e63296eaefc6cae95
SHA256 3a5eb83e76aa3a99afe2428e8413ca409eb64ed8e1571b6585e237c964574c31
SHA512 7e7ea7948def26b3e203bc2d4281801616cc759074b67588167d5d54cfbceb47e10678cee793e7ff6f67773cc40a1ac57e618dfe7041a6ac0bf689afd0002053

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04d933fa8df943f9002462905d02ef0f
SHA1 a6151aad526a8f4ff8de0eaf4f90bad7fe695d5c
SHA256 8f83f8d06b203a1b0453dc386c3782e01b8893733a589464f31e2c0bdad298e3
SHA512 3bcf84cdd942b7e0aa2cea96990c74a620fef0900d8a80ec3dfa1618e1ab28dcf16b331ccda36cf206075787233fc206722b1562f0c8da920ce9aa10ae6958c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b8a301d45da033d55f9c178a415707cd
SHA1 91182523b6111c081955901a3a79566c0c1c3d4f
SHA256 c23637b8669065753f1a8ed7ba14572461c3da6b510b1388c322be64a97a1e87
SHA512 85a62846360b4b5fd2959e35e47d4bc04c4d44e157f2a757fe05376b149c64aa27d2f8cec5759301c2adbb4b92960b96b2e94c6da91836e7ccbaf4fb626c67df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1799f89a357e8d66ff1b34ebd61efa8b
SHA1 c1c1af9303e1215f97ae399642876f5880563cc9
SHA256 11ee855b327321afcb02afe71a34fddd5a9ca5c684a0d7b76626bc008971db2a
SHA512 2432e16f781a60e371bd6bef4ab397036710e351b704085bbcea34cb598b26a3f430472d9824fd38fb50279db4b505c3d5259789f54fffe0d15b171cbb7fd328

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a53d809caf16d3e29ea13fb0e769288
SHA1 b19674f0e38cee428833ad372332c19d968fcac3
SHA256 c967a811cc08f30c0fca62f7e0ab5d5fc6105265766fd60f5d1bb5a43f399988
SHA512 37a10fb5b5f00e6890f34dbd02abf47830cde2298db322772f4f57457c06ae27a5cdfbeb376be7e5bb5cb6a8016ff887898d602cea69bceb0659c73c67f87a0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1bc97e15c60757010201d9683c47969
SHA1 f829c574200538de6ba3dd3c11c98efa31ce7406
SHA256 78431d20a5d0143e441e3dd5ca2e7440e872623cd587a3e69556cf7960aea9f5
SHA512 bcaa945a5b11d90e1f1c4b37b877a125adff1e3f6c75e220fddf345de11ebb4afbaa537a60c6bbae0779fbb739f6378ccae28fbc4ec1d0619960296338aa0e46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fcfc4b9150c718d3e527adcb617a1c0c
SHA1 53b2f680d1dee2791d76d3b698d061a7eaff7d54
SHA256 9573723c958069e2840e1f7bdda2c259424e5fdc632852599233d475e7ff82f6
SHA512 8f3dfd4fe32c7cde82ec864dc908ce75ec6a4fa268dc68de73ba7c762df86ed86ab737e75dd82e6c9b120c48a37948b06a835fbc996fc20a58d087daf42c806b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7f7b95e163763ba8d6ee2cbeb3c6880
SHA1 a7de0e568728783924752728877611d401b5b653
SHA256 d3b749479755e709bcdd20cf92ff85c4f39d9a621acea71fcebf2fa55ab8f8dc
SHA512 a8e121d6294901119a12e4bf5052b66d87b5ae1678a6e4410267675bb061bb0e9c7db2ef7b512bc258db68b23143e927bb2ed34b895e32fb4c3c738757ae1409

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c0ba3f618f0efe72268dcc2625ca7df
SHA1 50d61db4c9fdf1fd77a93cbac53c6ec570c92fb9
SHA256 2c7d4b7085a3d512b4b24ccf5bb755daabe2b613d77358127633f338e1e4f1b3
SHA512 fd26ef2116d5aee75ea72f8177436d3badcea54d70bdd05ec50b053c49b1d959275d038e79f4184cd040af52c32fa5a59c0025bf65134b611a12d4ee024ed107

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37db1ca398f47cf4ea42dcfa7d7a8c57
SHA1 939d40b91b3a3516a6a3fa626761c8e36fa23b07
SHA256 05646bc2cc5178c28f2ab3731cccaf7e338d7aef4968f090623f5ee15b69c7e4
SHA512 dec8621d019a4e5d3c4dd779c1820c5dd86d8265bec3f4f68270642ec31ad2c535ec45b44367df5d0d62e6b19b79999b4af3016fd52eb2ae9190f89a5a94207a