Windows Analysis Report
2005.exe

Overview

General Information

Sample name:	2005.exe
Analysis ID:	1528311
MD5:	940c75b80536e5c7d686c5847c51ad2b
SHA1:	1edd8c4294d91737f05abf1b88215b2c13ea3f0c
SHA256:	a1b39e60f3d07c2ae8b375211e7dbac4efc0011444e9b09e6e37a496554fdb86
Infos:

Detection

Dice

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Dice Ransomware

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Deletes shadow drive data (may be related to ransomware)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DICELOADER	A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash.	No Attribution	https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://www.mandiant.com/resources/blog/evolution-of-fin7	https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2005.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2005.exe

ReversingLabs: Detection: 91%

Machine Learning detection for sample

Source: 2005.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,	0_2_0040586B
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405B1C CryptEncrypt,CryptEncrypt,CryptEncrypt,	0_2_00405B1C
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00404C82 CryptAcquireContextW,GetLastError,CryptAcquireContextW,	0_2_00404C82
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405A73 CryptGenRandom,	0_2_00405A73
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405AF7 CryptEncrypt,	0_2_00405AF7
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405C99 CryptEncrypt,	0_2_00405C99
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00407FC1 CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CryptDestroyKey,CryptReleaseContext,	0_2_00407FC1

Uses 32bit PE files

Source: 2005.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Default\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Downloads\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Libraries\readme.txt	Jump to behavior

Source: unknown

HTTPS traffic detected: 52.111.227.14:443 -> 192.168.11.30:49773 version: TLS 1.2

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\2005.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: d:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_004061A6 FindFirstFileW,PostQueuedCompletionStatus,FindNextFileW,FindClose,		0_2_004061A6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EF8C FindFirstFileExW,		0_2_0040EF8C

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.74
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.99
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.121.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.121.28
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.99
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14

Source: global traffic

HTTP traffic detected: GET /nexus/rules?Application=officeclicktorun.exe&Version=16.0.14326.20384&ClientId=%7bB0D7ECDF-3EEF-4767-BB67-27861CCFA721%7d&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.14326.20384& HTTP/1.1Connection: Keep-AliveAccept: application/vnd.ms-nexus-rules-v16+xmlAccept-Encoding: gzipIf-Modified-Since: Mon, 07 Oct 2024 14:16:33 GMTUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.14326; Pro)X-MS-Collection-Policy: ExternalRestrictive, HeartbeatX-MS-Process-Session-Id: {7E978EA8-AD6B-4BED-887D-8CF0E69AE9DF}Host: nexusrules.officeapps.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443

Source: unknown

HTTPS traffic detected: 52.111.227.14:443 -> 192.168.11.30:49773 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\Documents\RAYHIWGKDI\readme.txt

Dropped file: Your data are STOLEN and your servers is LOCKED.The data will be published on TOR website if you do not contact with us. You can contact us directly for further instructions through emails:ccfarmy@tutanota.comccfarmy@protonmail.comIn subject write your personal id (below).Recovery information:key: eyJleHQiOiIuZGljZSIsIm5ldHdvcmsiOiJ0cnVlIiwic3ViaWQiOiIyMDA1IiwibGFuZyI6ImVuLUdCACJ9personal id: ARQOOLG

Jump to dropped file

Yara detected Dice Ransomware

Source: Yara match

File source: Process Memory Space: 2005.exe PID: 8016, type: MEMORYSTR

Deletes shadow drive data (may be related to ransomware)

Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )gC:\Windows\System32\OpenSSH\vssadmin.exe Delete Shadows \All \Quiet.exe.
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000002.115418247975.0000000000030000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Windows\SysWOW64\Wbem\wmic.exe\??\C:\Windows\SysWOW64\Wbem\wmic.exe88382-37782,en-USenwmicC:\Windows\vssadmin.exe Delete Shadows \All \Quiet.exeooHDP

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\NIKHQAIQAU.docx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File deleted: C:\Users\user\Desktop\NIKHQAIQAU.docx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ.mp3	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File deleted: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,

0_2_0040586B

System Summary

Malicious sample detected (through community Yara rule)

Source: 2005.exe, type: SAMPLE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen
Source: 0.0.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen
Source: 0.2.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00416820	0_2_00416820
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00404687	0_2_00404687
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0041477D	0_2_0041477D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00414EED appears 35 times
Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00401D0F appears 81 times
Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00408F50 appears 34 times

Uses 32bit PE files

Source: 2005.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2005.exe, type: SAMPLE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware
Source: 0.0.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware
Source: 0.2.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware

Source: classification engine

Classification label: mal96.rans.evad.winEXE@16/270@0/100

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004078AF CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,Process32NextW,TerminateProcess,CloseHandle,CloseHandle,

0_2_004078AF

Source: C:\Users\user\Desktop\2005.exe

File created: C:\Users\Default\readme.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:304:WilStaging_02
Source: C:\Users\user\Desktop\2005.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\35355FA5-07E9-428B-B5A5-1C88CAB2B488
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:304:WilStaging_02

Source: C:\Users\user\Desktop\2005.exe	Command line argument: -nolan		0_2_00406884
Source: C:\Users\user\Desktop\2005.exe	Command line argument: xqh		0_2_00406884

Source: 2005.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2005.exe

File read: C:\$Recycle.Bin\S-1-5-21-3425316567-2969588382-3778222414-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2005.exe

ReversingLabs: Detection: 91%

Source: unknown	Process created: C:\Users\user\Desktop\2005.exe "C:\Users\user\Desktop\2005.exe"
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: 2005.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00414E93 push ecx; ret		0_2_00414EA6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408F96 push ecx; ret		0_2_00408FA9

Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Default\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Downloads\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Libraries\readme.txt	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\2005.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_00406E73

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_004061A6 FindFirstFileW,PostQueuedCompletionStatus,FindNextFileW,FindClose,		0_2_004061A6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EF8C FindFirstFileExW,		0_2_0040EF8C

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_00407E01 GetSystemInfo,CreateIoCompletionPort,

0_2_00407E01

Source: 2005.exe, 00000000.00000002.115420756551.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114326991795.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK
Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdownrf
Source: 2005.exe, 00000000.00000003.114250939954.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114302616475.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114276557619.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114287454500.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114467113100.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114485214468.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114274291921.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114520734476.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114371646419.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114294682733.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114244720065.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\2005.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004077F2 GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,

0_2_004077F2

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2005.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004077F2 GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,

0_2_004077F2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040CBBD mov eax, dword ptr fs:[00000030h]	0_2_0040CBBD
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EC7B mov eax, dword ptr fs:[00000030h]	0_2_0040EC7B
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EC37 mov eax, dword ptr fs:[00000030h]	0_2_0040EC37

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,

0_2_0040586B

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040BB67 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040BB67
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040844D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040844D
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408D50 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408D50
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408EE6 SetUnhandledExceptionFilter,	0_2_00408EE6

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_00408B70 cpuid

0_2_00408B70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Default\NTUSER.DAT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\PowerPoint.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\Word.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Favorites\Bing.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Links\Desktop.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Links\Downloads.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\NTUSER.DAT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Searches\Indexed Locations.search-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Searches\winrt--{S-1-5-21-3425316567-2969588382-3778222414-1002}-.searchconnector-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\NIKHQAIQAU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\SFPUSAFIOL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Live.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Links\Downloads.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\NTUSER.DAT VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040E970 GetSystemTimeAsFileTime,

0_2_0040E970

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.11.209
192.168.11.207
192.168.11.208
192.168.11.205
192.168.11.206
192.168.11.203
192.168.11.204
192.168.11.201
192.168.11.202
192.168.11.200
192.168.11.28
192.168.11.27
192.168.11.29
192.168.11.24
192.168.11.23
192.168.11.26
192.168.11.25
192.168.11.20
192.168.11.22
192.168.11.21
192.168.11.17
192.168.11.16
192.168.11.19
192.168.11.18
192.168.11.13
192.168.11.12
192.168.11.15
192.168.11.14
192.168.11.11
192.168.11.10
192.168.11.199
192.168.11.197
192.168.11.198
192.168.11.188
192.168.11.189
192.168.11.186
192.168.11.187
192.168.11.195
192.168.11.196
192.168.11.193
192.168.11.194
192.168.11.191
192.168.11.192
192.168.11.190
192.168.11.179
192.168.11.177
192.168.11.178
192.168.11.175
192.168.11.176
192.168.11.184
192.168.11.185
192.168.11.182
192.168.11.183
192.168.11.180
192.168.11.181
192.168.11.168
192.168.11.169
192.168.11.166
192.168.11.89
192.168.11.167
192.168.11.164
192.168.11.165
192.168.11.86
192.168.11.173
192.168.11.85
192.168.11.174
192.168.11.88
192.168.11.171
192.168.11.87
192.168.11.172
192.168.11.82
192.168.11.81
192.168.11.170
192.168.11.84
192.168.11.83
192.168.11.80
192.168.11.159
192.168.11.157
192.168.11.158
192.168.11.79
192.168.11.155
192.168.11.78
192.168.11.156
192.168.11.153
192.168.11.154
192.168.11.75
192.168.11.162
192.168.11.74
192.168.11.163
192.168.11.77
192.168.11.160
192.168.11.76
192.168.11.161
192.168.11.71
192.168.11.70
192.168.11.73
192.168.11.72
192.168.11.148
192.168.11.149
192.168.11.146

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2005.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2005.exe

ReversingLabs: Detection: 91%

Machine Learning detection for sample

Source: 2005.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,	0_2_0040586B
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405B1C CryptEncrypt,CryptEncrypt,CryptEncrypt,	0_2_00405B1C
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00404C82 CryptAcquireContextW,GetLastError,CryptAcquireContextW,	0_2_00404C82
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405A73 CryptGenRandom,	0_2_00405A73
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405AF7 CryptEncrypt,	0_2_00405AF7
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00405C99 CryptEncrypt,	0_2_00405C99
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00407FC1 CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,CryptDestroyKey,CryptReleaseContext,	0_2_00407FC1

Uses 32bit PE files

Source: 2005.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Default\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Downloads\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Libraries\readme.txt	Jump to behavior

Source: unknown

HTTPS traffic detected: 52.111.227.14:443 -> 192.168.11.30:49773 version: TLS 1.2

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\2005.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: d:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_004061A6 FindFirstFileW,PostQueuedCompletionStatus,FindNextFileW,FindClose,		0_2_004061A6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EF8C FindFirstFileExW,		0_2_0040EF8C

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.74
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.15
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.99
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.121.28
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.121.28
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.99
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14
Source: unknown	TCP traffic detected without corresponding DNS query: 52.111.227.14

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443

Source: unknown

HTTPS traffic detected: 52.111.227.14:443 -> 192.168.11.30:49773 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\Documents\RAYHIWGKDI\readme.txt

Jump to dropped file

Yara detected Dice Ransomware

Source: Yara match

File source: Process Memory Space: 2005.exe PID: 8016, type: MEMORYSTR

Deletes shadow drive data (may be related to ransomware)

Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )gC:\Windows\System32\OpenSSH\vssadmin.exe Delete Shadows \All \Quiet.exe.
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232661054.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232293852.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000003.114231822326.0000000000692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows \All.exee:
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadowse
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete Shadows \All.exe
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe Deleteg
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\OpenSSH\vssadmin.exe DeleteI
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\SYSTEM32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\Wbem\vssadmin.exe Deletexe
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete Shadows
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\vssadmin.exe Delete ShadowsU
Source: 2005.exe, 00000000.00000003.114232503357.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\system32\vssadmin.exe Delete
Source: 2005.exe, 00000000.00000002.115418247975.0000000000030000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Windows\SysWOW64\Wbem\wmic.exe\??\C:\Windows\SysWOW64\Wbem\wmic.exe88382-37782,en-USenwmicC:\Windows\vssadmin.exe Delete Shadows \All \Quiet.exeooHDP

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\NIKHQAIQAU.docx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File deleted: C:\Users\user\Desktop\NIKHQAIQAU.docx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\QNCYCDFIJJ.mp3	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File moved: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File deleted: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,

0_2_0040586B

System Summary

Malicious sample detected (through community Yara rule)

Source: 2005.exe, type: SAMPLE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen
Source: 0.0.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen
Source: 0.2.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RanzyLocker / REntS ransomware Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00416820	0_2_00416820
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00404687	0_2_00404687
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0041477D	0_2_0041477D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00414EED appears 35 times
Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00401D0F appears 81 times
Source: C:\Users\user\Desktop\2005.exe	Code function: String function: 00408F50 appears 34 times

Uses 32bit PE files

Source: 2005.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2005.exe, type: SAMPLE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware
Source: 0.0.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware
Source: 0.2.2005.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RanzyLocker author = ditekSHen, description = Detects RanzyLocker / REntS ransomware

Source: classification engine

Classification label: mal96.rans.evad.winEXE@16/270@0/100

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004078AF CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,Process32NextW,TerminateProcess,CloseHandle,CloseHandle,

0_2_004078AF

Source: C:\Users\user\Desktop\2005.exe

File created: C:\Users\Default\readme.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:304:WilStaging_02
Source: C:\Users\user\Desktop\2005.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\35355FA5-07E9-428B-B5A5-1C88CAB2B488
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:304:WilStaging_02

Source: C:\Users\user\Desktop\2005.exe	Command line argument: -nolan		0_2_00406884
Source: C:\Users\user\Desktop\2005.exe	Command line argument: xqh		0_2_00406884

Source: 2005.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2005.exe

File read: C:\$Recycle.Bin\S-1-5-21-3425316567-2969588382-3778222414-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2005.exe

ReversingLabs: Detection: 91%

Source: unknown	Process created: C:\Users\user\Desktop\2005.exe "C:\Users\user\Desktop\2005.exe"
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dfscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: 2005.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00414E93 push ecx; ret		0_2_00414EA6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408F96 push ecx; ret		0_2_00408FA9

Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Default\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Dylan\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Desktop\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\NIKHQAIQAU\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Documents\RAYHIWGKDI\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Downloads\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Favorites\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Links\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\user\Searches\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Desktop\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	File created: C:\Users\Public\Libraries\readme.txt	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\2005.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,

0_2_00406E73

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_004061A6 FindFirstFileW,PostQueuedCompletionStatus,FindNextFileW,FindClose,		0_2_004061A6
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EF8C FindFirstFileExW,		0_2_0040EF8C

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_00407E01 GetSystemInfo,CreateIoCompletionPort,

0_2_00407E01

Source: 2005.exe, 00000000.00000002.115420756551.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114326991795.0000000002C42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK
Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdownrf
Source: 2005.exe, 00000000.00000003.114250939954.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114302616475.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114276557619.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114287454500.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114467113100.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114485214468.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114274291921.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114520734476.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114371646419.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114294682733.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 2005.exe, 00000000.00000003.114244720065.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2005.exe, 00000000.00000002.115419026016.000000000066D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\2005.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004077F2 GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,

0_2_004077F2

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2005.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_004077F2 GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,

0_2_004077F2

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040CBBD mov eax, dword ptr fs:[00000030h]	0_2_0040CBBD
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EC7B mov eax, dword ptr fs:[00000030h]	0_2_0040EC7B
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040EC37 mov eax, dword ptr fs:[00000030h]	0_2_0040EC37

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040586B CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,

0_2_0040586B

Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040BB67 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040BB67
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_0040844D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040844D
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408D50 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408D50
Source: C:\Users\user\Desktop\2005.exe	Code function: 0_2_00408EE6 SetUnhandledExceptionFilter,	0_2_00408EE6

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_00408B70 cpuid

0_2_00408B70

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Default\NTUSER.DAT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\PowerPoint.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Desktop\Word.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Favorites\Bing.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Links\Desktop.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Links\Downloads.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\NTUSER.DAT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Searches\Indexed Locations.search-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\Dylan\Searches\winrt--{S-1-5-21-3425316567-2969588382-3778222414-1002}-.searchconnector-ms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\NIKHQAIQAU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\FENIVHOIKN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\FENIVHOIKN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\BPMLNOBVSB.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\NIKHQAIQAU\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\LSBIHQFDVT.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\RAYHIWGKDI.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\SFPUSAFIOL.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\SFPUSAFIOL.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\SQRKHNBNYN.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\WKXEWIOTXI.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Documents\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\BPMLNOBVSB.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\CURQNKVOIX.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\RAYHIWGKDI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\UOOJJOZIRH.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\VAMYDFPUND.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Live.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\Links\Downloads.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2005.exe	Queries volume information: C:\Users\user\NTUSER.DAT VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2005.exe

Code function: 0_2_0040E970 GetSystemTimeAsFileTime,

0_2_0040E970

ID:	1528311
Product:	CloudBasic
Start time:	19:23:38
Start date:	07.10.2024
Sample:	2005.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	940c75b80536e5c7d686c5847c51ad2b
SHA1:	1edd8c4294d91737f05abf1b88215b2c13ea3f0c
SHA256:	a1b39e60f3d07c2ae8b375211e7dbac4efc0011444e9b09e6e37a496554fdb86
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
2005.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report 2005.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
2005.exe

Malware Threat Intel
Provided by