Loading ...

Play interactive tourEdit tour

Analysis Report YZ1q5HY7kK.exe

Overview

General Information

Sample Name:YZ1q5HY7kK.exe
Analysis ID:383823
MD5:77dfc735d37c3f44ab13d253ccd5417c
SHA1:fa4d120c3f31281722c11c65aecf200634e7299b
SHA256:802c523228e29013b5b60c643272ba0c837a7de3902c55424d7779535309a235
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • YZ1q5HY7kK.exe (PID: 6884 cmdline: 'C:\Users\user\Desktop\YZ1q5HY7kK.exe' MD5: 77DFC735D37C3F44AB13D253CCD5417C)
    • AddInProcess32.exe (PID: 7088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmpSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x6ff8:$: VFZxUUFBT
00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmpSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x1e69b8:$: VFZxUUFBT
Process Memory Space: AddInProcess32.exe PID: 7088JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: YZ1q5HY7kK.exe PID: 6884SUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
    • 0x3ceb4:$: VFZxUUFBT
    • 0x356d94:$: VFZxUUFBT

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://ry.beablog.ruAvira URL Cloud: Label: PUA
    Source: http://ynnnzonie.xyz/Avira URL Cloud: Label: malware
    Source: http://ynnnzonie.xyzAvira URL Cloud: Label: malware
    Source: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeEAvira URL Cloud: Label: PUA
    Source: http://ynnnzonie.xyz:80/Avira URL Cloud: Label: malware
    Multi AV Scanner detection for submitted fileShow sources
    Source: YZ1q5HY7kK.exeVirustotal: Detection: 47%Perma Link
    Source: YZ1q5HY7kK.exeMetadefender: Detection: 32%Perma Link
    Source: YZ1q5HY7kK.exeReversingLabs: Detection: 68%
    Source: YZ1q5HY7kK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: unknownHTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2
    Source: YZ1q5HY7kK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_0546FC80
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_0546FC88
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0546F6EC
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0546F6F8

    Networking:

    barindex
    Performs DNS queries to domains with low reputationShow sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDNS query: ynnnzonie.xyz
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDNS query: ynnnzonie.xyz
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDNS query: ynnnzonie.xyz
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: ynnnzonie.xyzContent-Length: 24598Expect: 100-continueAccept-Encoding: gzip, deflate
    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: ynnnzonie.xyzContent-Length: 24584Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 81.177.140.169 81.177.140.169
    Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: k9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
    Source: unknownDNS traffic detected: queries for: ry.beablog.ru
    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgdP~
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0#
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
    Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
    Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://service.r
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://support.a
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArguments
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
    Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705910872.000000000306A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
    Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
    Source: AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmpString found in binary or memory: http://ynnnzonie.xyz
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://ynnnzonie.xyz/
    Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmpString found in binary or memory: http://ynnnzonie.xyz41k
    Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://ynnnzonie.xyz:80/
    Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmpString found in binary or memory: http://ynnnzonie.xyzdrt
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: AddInProcess32.exeString found in binary or memory: https://api.ip.sb/geoip
    Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoipAppData
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb41k
    Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: https://icanhazip.com
    Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
    Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
    Source: AddInProcess32.exe, 00000004.00000002.705854567.000000000303C000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705971238.0000000003083000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmpString found in binary or memory: https://ry.beablog.ru
    Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmpString found in binary or memory: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
    Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
    Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmpString found in binary or memory: https://wtfismyip.com/text
    Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownHTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_0546FEB8 NtUnmapViewOfSection,0_2_0546FEB8
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_0546FEB0 NtUnmapViewOfSection,0_2_0546FEB0
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_00B941F30_2_00B941F3
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02E7C1F80_2_02E7C1F8
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02E7EB000_2_02E7EB00
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02E70FC80_2_02E70FC8
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02E7F2880_2_02E7F288
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02F07B7F0_2_02F07B7F
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02F091F80_2_02F091F8
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02F0B6810_2_02F0B681
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02F064000_2_02F06400
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_0546D5670_2_0546D567
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02E7D7F04_2_02E7D7F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02E7CAB84_2_02E7CAB8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_063883404_2_06388340
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_063800404_2_06380040
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0638FA684_2_0638FA68
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_063811804_2_06381180
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_063828304_2_06382830
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_063828404_2_06382840
    Source: YZ1q5HY7kK.exeBinary or memory string: OriginalFilename vs YZ1q5HY7kK.exe
    Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMicate.exe4 vs YZ1q5HY7kK.exe
    Source: YZ1q5HY7kK.exe, 00000000.00000002.649694134.0000000000B92000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe
    Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs YZ1q5HY7kK.exe
    Source: YZ1q5HY7kK.exeBinary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe
    Source: YZ1q5HY7kK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
    Source: 00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
    Source: Process Memory Space: YZ1q5HY7kK.exe PID: 6884, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
    Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@3/28@6/2
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YZ1q5HY7kK.exe.logJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Temp\tmp777.tmpJump to behavior
    Source: YZ1q5HY7kK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: YZ1q5HY7kK.exeVirustotal: Detection: 47%
    Source: YZ1q5HY7kK.exeMetadefender: Detection: 32%
    Source: YZ1q5HY7kK.exeReversingLabs: Detection: 68%
    Source: unknownProcess created: C:\Users\user\Desktop\YZ1q5HY7kK.exe 'C:\Users\user\Desktop\YZ1q5HY7kK.exe'
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: YZ1q5HY7kK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: YZ1q5HY7kK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: YZ1q5HY7kK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: YZ1q5HY7kK.exeStatic PE information: 0xDBB3B79A [Sun Oct 20 21:37:30 2086 UTC]
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_0546C7A2 push esp; retf 0_2_0546C7A9
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_0546CA51 push 8B67B81Ch; ret 0_2_0546CA59
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_02E70470 push FFFFFFC3h; ret 4_2_02E704AA
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 1381Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 6249Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe TID: 6904Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4780Thread sleep time: -11990383647911201s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1320Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7140Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: AddInProcess32.exe, 00000004.00000002.705196441.000000000135B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeCode function: 0_2_02E70448 LdrInitializeThunk,0_2_02E70448
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000Jump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41A000Jump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E3E008Jump to behavior
    Source: C:\Users\user\Desktop\YZ1q5HY7kK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior