Analysis Report YZ1q5HY7kK.exe

Overview

General Information

Sample Name: YZ1q5HY7kK.exe
Analysis ID: 383823
MD5: 77dfc735d37c3f44ab13d253ccd5417c
SHA1: fa4d120c3f31281722c11c65aecf200634e7299b
SHA256: 802c523228e29013b5b60c643272ba0c837a7de3902c55424d7779535309a235
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://ry.beablog.ru Avira URL Cloud: Label: PUA
Source: http://ynnnzonie.xyz/ Avira URL Cloud: Label: malware
Source: http://ynnnzonie.xyz Avira URL Cloud: Label: malware
Source: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE Avira URL Cloud: Label: PUA
Source: http://ynnnzonie.xyz:80/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: YZ1q5HY7kK.exe Virustotal: Detection: 47% Perma Link
Source: YZ1q5HY7kK.exe Metadefender: Detection: 32% Perma Link
Source: YZ1q5HY7kK.exe ReversingLabs: Detection: 68%

Compliance:

barindex
Uses 32bit PE files
Source: YZ1q5HY7kK.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: YZ1q5HY7kK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0546FC80
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_0546FC88
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0546F6EC
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0546F6F8

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe DNS query: ynnnzonie.xyz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe DNS query: ynnnzonie.xyz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe DNS query: ynnnzonie.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: ynnnzonie.xyzContent-Length: 24598Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: ynnnzonie.xyzContent-Length: 24584Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 81.177.140.169 81.177.140.169
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS40676US AS40676US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: k9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
Source: unknown DNS traffic detected: queries for: ry.beablog.ru
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgdP~
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://forms.rea
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://go.micros
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0#
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://service.r
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://support.a
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/0
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705910872.000000000306A000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp String found in binary or memory: http://ynnnzonie.xyz
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://ynnnzonie.xyz/
Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp String found in binary or memory: http://ynnnzonie.xyz41k
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: http://ynnnzonie.xyz:80/
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp String found in binary or memory: http://ynnnzonie.xyzdrt
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AddInProcess32.exe String found in binary or memory: https://api.ip.sb/geoip
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.ip.sb/geoipAppData
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb41k
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://get.adob
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://helpx.ad
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: https://icanhazip.com
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: AddInProcess32.exe, 00000004.00000002.705854567.000000000303C000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705971238.0000000003083000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp String found in binary or memory: https://ry.beablog.ru
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp String found in binary or memory: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp String found in binary or memory: https://wtfismyip.com/text
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown HTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_0546FEB8 NtUnmapViewOfSection, 0_2_0546FEB8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_0546FEB0 NtUnmapViewOfSection, 0_2_0546FEB0
Detected potential crypto function
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_00B941F3 0_2_00B941F3
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02E7C1F8 0_2_02E7C1F8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02E7EB00 0_2_02E7EB00
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02E70FC8 0_2_02E70FC8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02E7F288 0_2_02E7F288
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02F07B7F 0_2_02F07B7F
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02F091F8 0_2_02F091F8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02F0B681 0_2_02F0B681
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02F06400 0_2_02F06400
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_0546D567 0_2_0546D567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02E7D7F0 4_2_02E7D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02E7CAB8 4_2_02E7CAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06388340 4_2_06388340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06380040 4_2_06380040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_0638FA68 4_2_0638FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06381180 4_2_06381180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06382830 4_2_06382830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06382840 4_2_06382840
Sample file is different than original file name gathered from version info
Source: YZ1q5HY7kK.exe Binary or memory string: OriginalFilename vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMicate.exe4 vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.649694134.0000000000B92000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe Binary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe
Uses 32bit PE files
Source: YZ1q5HY7kK.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: YZ1q5HY7kK.exe PID: 6884, type: MEMORY Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: classification engine Classification label: mal92.troj.spyw.evad.winEXE@3/28@6/2
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YZ1q5HY7kK.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\Temp\tmp777.tmp Jump to behavior
Source: YZ1q5HY7kK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: YZ1q5HY7kK.exe Virustotal: Detection: 47%
Source: YZ1q5HY7kK.exe Metadefender: Detection: 32%
Source: YZ1q5HY7kK.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Users\user\Desktop\YZ1q5HY7kK.exe 'C:\Users\user\Desktop\YZ1q5HY7kK.exe'
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: YZ1q5HY7kK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: YZ1q5HY7kK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: YZ1q5HY7kK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: YZ1q5HY7kK.exe Static PE information: 0xDBB3B79A [Sun Oct 20 21:37:30 2086 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_0546C7A2 push esp; retf 0_2_0546C7A9
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_0546CA51 push 8B67B81Ch; ret 0_2_0546CA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_02E70470 push FFFFFFC3h; ret 4_2_02E704AA
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 1381 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 6249 Jump to behavior
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe TID: 6904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4780 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1320 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AddInProcess32.exe, 00000004.00000002.705196441.000000000135B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Code function: 0_2_02E70448 LdrInitializeThunk, 0_2_02E70448
Enables debug privileges
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41A000 Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E3E008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Queries volume information: C:\Users\user\Desktop\YZ1q5HY7kK.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: ElectrumRule
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp String found in binary or memory: k1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: JaxxRule
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: Ethereum#\Ethereum\wallets
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: ExodusRule
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp String found in binary or memory: EthereumRule
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp String found in binary or memory: k5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 7088, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
81.177.140.169
 ry.beablog.ru Russian Federation
8342 RTCOMM-ASRU false
104.217.62.116
 ynnnzonie.xyz United States
40676 AS40676US true

Contacted Domains

Name IP Active
ry.beablog.ru 81.177.140.169 true
ynnnzonie.xyz 104.217.62.116 true
api.ip.sb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ynnnzonie.xyz/ true
  • Avira URL Cloud: malware
 unknown