Windows Analysis Report
z95g0YV3PKzM3LA5zt.exe

Overview

General Information

Sample name: z95g0YV3PKzM3LA5zt.exe
Analysis ID: 1518579
MD5: b37fbc315b7e7bb63be8df480dc06e9e
SHA1: 4067d052f93087281edbe16f86cfd5fbac07c145
SHA256: 8e1469a8d3fac63fefa4affff492ca82c6d3059bc5c8097a38c04e4e965e1a39
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: z95g0YV3PKzM3LA5zt.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE/sendMessage?chat_id=7337843299", "Token": "7103143262:AAG465MUhsk82xbAoiKNfXs-PGi4dmGgzyE", "Chat_id": "7337843299", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: z95g0YV3PKzM3LA5zt.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: z95g0YV3PKzM3LA5zt.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Xyapk.pdbSHA256 source: z95g0YV3PKzM3LA5zt.exe
Source: Binary string: Xyapk.pdb source: z95g0YV3PKzM3LA5zt.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4x nop then jmp 072BB68Eh 0_2_072BBBC6
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4x nop then jmp 0176E61Fh 4_2_0176E431
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4x nop then jmp 0176EFA9h 4_2_0176E431
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4x nop then jmp 0176FA39h 4_2_0176F778
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0176D7F0

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032DA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000322A000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003212000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032A4000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.0000000003250000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: z95g0YV3PKzM3LA5zt.exe String found in binary or memory: https://static.wikia.nocookie.net/mitologa/images/a/a3/Imagen_por_defecto.png/revision/latest/thumbn
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_0126D364 0_2_0126D364
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_05120006 0_2_05120006
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_05120040 0_2_05120040
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_06EC1998 0_2_06EC1998
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_06EC9518 0_2_06EC9518
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_06EC9513 0_2_06EC9513
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_06ECF12B 0_2_06ECF12B
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_06ECF138 0_2_06ECF138
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B0040 0_2_072B0040
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B75F0 0_2_072B75F0
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B71B8 0_2_072B71B8
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B0006 0_2_072B0006
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B6D6F 0_2_072B6D6F
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B8CE8 0_2_072B8CE8
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B6938 0_2_072B6938
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072BE848 0_2_072BE848
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_01766108 4_2_01766108
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176C190 4_2_0176C190
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176C470 4_2_0176C470
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176E431 4_2_0176E431
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176B4A0 4_2_0176B4A0
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176F778 4_2_0176F778
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176C754 4_2_0176C754
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_01769858 4_2_01769858
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_01766880 4_2_01766880
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176BBB8 4_2_0176BBB8
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176CA34 4_2_0176CA34
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_01764AD9 4_2_01764AD9
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176BEB0 4_2_0176BEB0
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176D7F0 4_2_0176D7F0
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_0176D7E0 4_2_0176D7E0
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_01763875 4_2_01763875
Sample file is different than original file name gathered from version info
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000000.2145858496.0000000000812000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXyapk.exe: vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2179154488.0000000007AE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2175840617.0000000002C41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2174860901.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621249210.0000000001157000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z95g0YV3PKzM3LA5zt.exe
Source: z95g0YV3PKzM3LA5zt.exe Binary or memory string: OriginalFilenameXyapk.exe: vs z95g0YV3PKzM3LA5zt.exe
Uses 32bit PE files
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, ----.cs Base64 encoded string: 'ut1OzrCluW/9VTP3BdyjCRa85OkG0NGBKygUyQwlThgtXkBOEL5s2n8dEfCL+Y0P'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, ----.cs Base64 encoded string: 'ut1OzrCluW/9VTP3BdyjCRa85OkG0NGBKygUyQwlThgtXkBOEL5s2n8dEfCL+Y0P'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FWiTG5G38fkpqNXSKd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: _0020.SetAccessControl
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: _0020.AddAccessRule
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FWiTG5G38fkpqNXSKd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: _0020.SetAccessControl
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/2
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z95g0YV3PKzM3LA5zt.exe.log Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Mutant created: NULL
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Mutant created: \Sessions\1\BaseNamedObjects\xkdYybQGWIVFbk
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z95g0YV3PKzM3LA5zt.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000338D000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000339B000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4623670248.00000000041DA000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.00000000033C3000.00000004.00000800.00020000.00000000.sdmp, z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4622343107.000000000337D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: z95g0YV3PKzM3LA5zt.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe"
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Xyapk.pdbSHA256 source: z95g0YV3PKzM3LA5zt.exe
Source: Binary string: Xyapk.pdb source: z95g0YV3PKzM3LA5zt.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: z95g0YV3PKzM3LA5zt.exe, Home.cs .Net Code: InitializeComponent
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs .Net Code: zl40CrGhar System.Reflection.Assembly.Load(byte[])
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs .Net Code: zl40CrGhar System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: 0xA0722687 [Tue Apr 20 12:05:27 2055 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072BB5AC pushfd ; ret 0_2_072BB5AD
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B24CC pushfd ; ret 0_2_072B24CD
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B4FF0 pushfd ; ret 0_2_072B4FF1
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B9DDB pushfd ; ret 0_2_072B9DDC
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B5971 pushfd ; ret 0_2_072B5979
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 0_2_072B49D9 pushad ; retf 0_2_072B49E5
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Code function: 4_2_017624B9 push 8BFFFFFFh; retf 4_2_017624BF
Source: z95g0YV3PKzM3LA5zt.exe Static PE information: section name: .text entropy: 7.744576518851154
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7090000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FWiTG5G38fkpqNXSKd.cs High entropy of concatenated method names: 'roMRbEDBPo', 'mWfROWO0Lv', 'hvYR38qBES', 'GxQR2l32SN', 'pcZRda5Zj1', 'lNLR85Edg4', 'gw2RMy7njr', 'j34RFlRH23', 'RE4RB9THus', 'atMRoHFJfx'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, rJdl8S4EIMFsWqAWrU.cs High entropy of concatenated method names: 'X9swtUHud0', 'J1dwRXFCen', 'KFmwhVQCQ8', 'DnLwiSrMtW', 'LHLwYTDjTu', 'lMnhdB5oTo', 'YYvh8HiPOU', 'nSxhMGoXBw', 'ewdhFwdswD', 'ut7hBCsfn3'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, SfAnGpQqaAlCguRy2q.cs High entropy of concatenated method names: 'kTUNykZKue', 'eLvNLAM9iV', 'QMqNGfkw8G', 'IlrNQtg65m', 'y8mN5GWwrQ', 'WQANkWRP7Z', 'GhYNgFYKVC', 'FDaNTH3rXZ', 'ejFNmE4fOf', 'SGLNZ8eTBW'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, ivgC5E3TmDknlRVt7E.cs High entropy of concatenated method names: 'ToString', 'BH4kS4Tb7S', 'uy0klB2Au1', 'lKukIHmtnN', 'EM1kKI8iDD', 't58kVFHrFx', 'YE9kxvluN4', 'CPJk9EnWuP', 'jhRkW3DlwR', 'OMdkJl1nun'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, egkYUmX7RAr4MSUhbR1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dpaZbetXQj', 'dlFZO3kCFL', 'r60Z3GXoGO', 'oVvZ2dQMHj', 'hRpZd135qQ', 'ImyZ8utWBp', 'UdhZMJlDgl'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, DYr2JCpgcbpFW3iPL3.cs High entropy of concatenated method names: 'IYq1GOSA7l', 'ztx1Q1qKYy', 'iDT148Vh4E', 'awP1lxuoyy', 'KFs1KS2mID', 'FmW1V6dyyp', 'wQL19iVYcc', 'DHr1WrBV65', 'jDJ1E0WAfh', 'dLq1SKTLnv'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, tkrKMm81BObwOWpwht.cs High entropy of concatenated method names: 'vFWgF3xYlc', 'FJAgo4Xi92', 'ct7TPwwojL', 'mBNTX5aYP9', 'xqZgSsoit1', 'gmbguFTtdU', 'RMMgpYrB9o', 's4PgbGMm3x', 'WSEgOFVSnT', 'yDlg3VgjUZ'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, hUOYUVbgpAmBlGMGd2.cs High entropy of concatenated method names: 'uXh5E0MROW', 'ov45uxXfvM', 'WIM5bWsxUY', 'Ksd5OvKRA0', 'UKd5lLtUfD', 'Bmb5IKNfPA', 'UC65KZfrbp', 'eN35VisYCC', 'GYB5x0WDlj', 'zav59uJljC'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, p51uIyBLvqaGfHh2Qc.cs High entropy of concatenated method names: 'Bo9T4xM6S3', 'TPUTlKEHjB', 'QaoTImAIPR', 'hUHTKWiter', 'CflTbo5g2e', 'Ef0TV4uT9e', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, TJCXGWJYHbY7Of0cv5.cs High entropy of concatenated method names: 'HXbir2fiV2', 'qtri6dxOyW', 'aQhiCMquS3', 'QcxiytWFMZ', 'dtIijLrZOg', 'F1CiLTYIXZ', 'oDrifjPVo2', 'xAfiGKwOGD', 'bfkiQU8wSN', 'IXSiaitSiU'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, P6xBRGXPsVIyCN86tFt.cs High entropy of concatenated method names: 'zrjmrxFWf7', 'hwcm6kXWYS', 'uqxmClHaAu', 'mSnmywe0de', 'BZDmjEpspw', 'odimLq4HLL', 'S5OmfMqpcR', 'yU6mGQlfvg', 'RJJmQ9h1ZC', 'bdomasZ1RW'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, G26FUwF0lQ4OMj0EHT.cs High entropy of concatenated method names: 'hDPTs2SoSE', 'LhZTRaO3K5', 'FQ8TNhcBZU', 'UJgThjnC6L', 'LJvTwjTvaf', 'gMjTicoV9f', 'vLyTYCTkW9', 'GQUTUOxNng', 'S0OTe8cSdZ', 'KjwTvPFh6s'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, OD3MtX0q54rlpiTRqI.cs High entropy of concatenated method names: 'XBaXiWiTG5', 'S8fXYkpqNX', 'QqaXeAlCgu', 'fy2Xvqkh3m', 'KrVX51gmJd', 'H8SXkEIMFs', 'BbnJtU3E0ZIF716xTw', 'zo2KPUMKJyA5R8apJk', 'F0kXXinwvg', 'JWSX7oQEg6'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, xu2O1A99f7VPQm8VkA.cs High entropy of concatenated method names: 'OPgisIuHjI', 'URTiNrEJLA', 'atyiwi82s0', 'ceFwoHNhIq', 'L3twzeqLvy', 'h4SiPu9S7h', 'WkiiX5Sele', 'EmjiD816WV', 'jf5i7IJddg', 'SWoi0xfPxF'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, PRy9AOYOfo28a09o9Y.cs High entropy of concatenated method names: 'YXh7tD5CI5', 'PjX7sD4sRj', 'AVG7R4la52', 'fWO7NlXani', 'qTd7hq1kay', 'AEN7wT7wda', 'RI07i39TOX', 'Bie7YYIQ0o', 'OGD7UWmAtd', 'KNP7ept416'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, f7qq7CRBDAJVb1ChHc.cs High entropy of concatenated method names: 'Dispose', 'iNTXBYi9Hv', 'QkfDlWTJKG', 'LH7iiY3gN5', 'wl2Xo6FUw0', 'HQ4XzOMj0E', 'ProcessDialogKey', 'uTkDP51uIy', 'BvqDXaGfHh', 'TQcDD4O4X5'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, a8bubl26Qt0gOQkXRc.cs High entropy of concatenated method names: 'mBDgeuemgw', 'UqpgvnYUWJ', 'ToString', 'Q34gsm8YWj', 'VRlgRB1eUm', 'L9jgN5IfrL', 'DYVghaX5sc', 'kmxgwTVh97', 'mpHgi6Hn2H', 'avRgYHXcrh'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, UMBaSczaeF6AZ5yjh0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UQIm1WXVZV', 'QfHm5qkG3H', 'eWCmkbmjjU', 'JSrmgFsExN', 'tXwmTcqR1k', 'tZ6mmKquqY', 'LlBmZFvBJn'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, LL3julD1IuZS0jrlkJ.cs High entropy of concatenated method names: 'kHbCX6w6N', 'gBCyI4dV2', 'Vu8LDlxNK', 'wBafIyNy7', 'kTlQ5LjM5', 'QPCaO4uhv', 'xoW6OJLodVT4eSSNUU', 'gamIffXTZhEi5GSM3Y', 'fcHTsTeE1', 'WBJZM4Jla'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.7ae0000.5.raw.unpack, FO4X5AoC8eUDAUijMc.cs High entropy of concatenated method names: 'i6KmXkR9k7', 'BjTm7D3PSu', 'DFFm0j9d8Z', 'WkGmscev0w', 'vaymRc6gBY', 'dSOmhvmucp', 'P6omwB2eCV', 'xkrTMhiWgN', 'X0ZTF632LV', 'MQmTBPaGan'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.2ccdea8.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FWiTG5G38fkpqNXSKd.cs High entropy of concatenated method names: 'roMRbEDBPo', 'mWfROWO0Lv', 'hvYR38qBES', 'GxQR2l32SN', 'pcZRda5Zj1', 'lNLR85Edg4', 'gw2RMy7njr', 'j34RFlRH23', 'RE4RB9THus', 'atMRoHFJfx'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, rJdl8S4EIMFsWqAWrU.cs High entropy of concatenated method names: 'X9swtUHud0', 'J1dwRXFCen', 'KFmwhVQCQ8', 'DnLwiSrMtW', 'LHLwYTDjTu', 'lMnhdB5oTo', 'YYvh8HiPOU', 'nSxhMGoXBw', 'ewdhFwdswD', 'ut7hBCsfn3'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, SfAnGpQqaAlCguRy2q.cs High entropy of concatenated method names: 'kTUNykZKue', 'eLvNLAM9iV', 'QMqNGfkw8G', 'IlrNQtg65m', 'y8mN5GWwrQ', 'WQANkWRP7Z', 'GhYNgFYKVC', 'FDaNTH3rXZ', 'ejFNmE4fOf', 'SGLNZ8eTBW'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, ivgC5E3TmDknlRVt7E.cs High entropy of concatenated method names: 'ToString', 'BH4kS4Tb7S', 'uy0klB2Au1', 'lKukIHmtnN', 'EM1kKI8iDD', 't58kVFHrFx', 'YE9kxvluN4', 'CPJk9EnWuP', 'jhRkW3DlwR', 'OMdkJl1nun'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, egkYUmX7RAr4MSUhbR1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dpaZbetXQj', 'dlFZO3kCFL', 'r60Z3GXoGO', 'oVvZ2dQMHj', 'hRpZd135qQ', 'ImyZ8utWBp', 'UdhZMJlDgl'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, DYr2JCpgcbpFW3iPL3.cs High entropy of concatenated method names: 'IYq1GOSA7l', 'ztx1Q1qKYy', 'iDT148Vh4E', 'awP1lxuoyy', 'KFs1KS2mID', 'FmW1V6dyyp', 'wQL19iVYcc', 'DHr1WrBV65', 'jDJ1E0WAfh', 'dLq1SKTLnv'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, tkrKMm81BObwOWpwht.cs High entropy of concatenated method names: 'vFWgF3xYlc', 'FJAgo4Xi92', 'ct7TPwwojL', 'mBNTX5aYP9', 'xqZgSsoit1', 'gmbguFTtdU', 'RMMgpYrB9o', 's4PgbGMm3x', 'WSEgOFVSnT', 'yDlg3VgjUZ'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, hUOYUVbgpAmBlGMGd2.cs High entropy of concatenated method names: 'uXh5E0MROW', 'ov45uxXfvM', 'WIM5bWsxUY', 'Ksd5OvKRA0', 'UKd5lLtUfD', 'Bmb5IKNfPA', 'UC65KZfrbp', 'eN35VisYCC', 'GYB5x0WDlj', 'zav59uJljC'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, p51uIyBLvqaGfHh2Qc.cs High entropy of concatenated method names: 'Bo9T4xM6S3', 'TPUTlKEHjB', 'QaoTImAIPR', 'hUHTKWiter', 'CflTbo5g2e', 'Ef0TV4uT9e', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, TJCXGWJYHbY7Of0cv5.cs High entropy of concatenated method names: 'HXbir2fiV2', 'qtri6dxOyW', 'aQhiCMquS3', 'QcxiytWFMZ', 'dtIijLrZOg', 'F1CiLTYIXZ', 'oDrifjPVo2', 'xAfiGKwOGD', 'bfkiQU8wSN', 'IXSiaitSiU'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, P6xBRGXPsVIyCN86tFt.cs High entropy of concatenated method names: 'zrjmrxFWf7', 'hwcm6kXWYS', 'uqxmClHaAu', 'mSnmywe0de', 'BZDmjEpspw', 'odimLq4HLL', 'S5OmfMqpcR', 'yU6mGQlfvg', 'RJJmQ9h1ZC', 'bdomasZ1RW'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, G26FUwF0lQ4OMj0EHT.cs High entropy of concatenated method names: 'hDPTs2SoSE', 'LhZTRaO3K5', 'FQ8TNhcBZU', 'UJgThjnC6L', 'LJvTwjTvaf', 'gMjTicoV9f', 'vLyTYCTkW9', 'GQUTUOxNng', 'S0OTe8cSdZ', 'KjwTvPFh6s'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, OD3MtX0q54rlpiTRqI.cs High entropy of concatenated method names: 'XBaXiWiTG5', 'S8fXYkpqNX', 'QqaXeAlCgu', 'fy2Xvqkh3m', 'KrVX51gmJd', 'H8SXkEIMFs', 'BbnJtU3E0ZIF716xTw', 'zo2KPUMKJyA5R8apJk', 'F0kXXinwvg', 'JWSX7oQEg6'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, xu2O1A99f7VPQm8VkA.cs High entropy of concatenated method names: 'OPgisIuHjI', 'URTiNrEJLA', 'atyiwi82s0', 'ceFwoHNhIq', 'L3twzeqLvy', 'h4SiPu9S7h', 'WkiiX5Sele', 'EmjiD816WV', 'jf5i7IJddg', 'SWoi0xfPxF'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, PRy9AOYOfo28a09o9Y.cs High entropy of concatenated method names: 'YXh7tD5CI5', 'PjX7sD4sRj', 'AVG7R4la52', 'fWO7NlXani', 'qTd7hq1kay', 'AEN7wT7wda', 'RI07i39TOX', 'Bie7YYIQ0o', 'OGD7UWmAtd', 'KNP7ept416'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, f7qq7CRBDAJVb1ChHc.cs High entropy of concatenated method names: 'Dispose', 'iNTXBYi9Hv', 'QkfDlWTJKG', 'LH7iiY3gN5', 'wl2Xo6FUw0', 'HQ4XzOMj0E', 'ProcessDialogKey', 'uTkDP51uIy', 'BvqDXaGfHh', 'TQcDD4O4X5'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, a8bubl26Qt0gOQkXRc.cs High entropy of concatenated method names: 'mBDgeuemgw', 'UqpgvnYUWJ', 'ToString', 'Q34gsm8YWj', 'VRlgRB1eUm', 'L9jgN5IfrL', 'DYVghaX5sc', 'kmxgwTVh97', 'mpHgi6Hn2H', 'avRgYHXcrh'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, UMBaSczaeF6AZ5yjh0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UQIm1WXVZV', 'QfHm5qkG3H', 'eWCmkbmjjU', 'JSrmgFsExN', 'tXwmTcqR1k', 'tZ6mmKquqY', 'LlBmZFvBJn'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, LL3julD1IuZS0jrlkJ.cs High entropy of concatenated method names: 'kHbCX6w6N', 'gBCyI4dV2', 'Vu8LDlxNK', 'wBafIyNy7', 'kTlQ5LjM5', 'QPCaO4uhv', 'xoW6OJLodVT4eSSNUU', 'gamIffXTZhEi5GSM3Y', 'fcHTsTeE1', 'WBJZM4Jla'
Source: 0.2.z95g0YV3PKzM3LA5zt.exe.3ea9458.3.raw.unpack, FO4X5AoC8eUDAUijMc.cs High entropy of concatenated method names: 'i6KmXkR9k7', 'BjTm7D3PSu', 'DFFm0j9d8Z', 'WkGmscev0w', 'vaymRc6gBY', 'dSOmhvmucp', 'P6omwB2eCV', 'xkrTMhiWgN', 'X0ZTF632LV', 'MQmTBPaGan'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 1220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 2C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 2B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 92B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 7CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: A2B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: B2B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 1720000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: 3080000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599141 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599014 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598902 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598748 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594387 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594282 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594157 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594032 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593907 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593782 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593657 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Window / User API: threadDelayed 2146 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Window / User API: threadDelayed 7664 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 5024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 3152 Thread sleep count: 2146 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 3152 Thread sleep count: 7664 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -599014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598902s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598748s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -598063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594387s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -594032s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -593907s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -593782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe TID: 6552 Thread sleep time: -593657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599141 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 599014 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598902 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598748 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598188 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 598063 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594387 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594282 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594157 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 594032 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593907 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593782 Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Thread delayed: delay time: 593657 Jump to behavior
Source: z95g0YV3PKzM3LA5zt.exe, 00000004.00000002.4621356875.0000000001386000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Memory written: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Process created: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe "C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\z95g0YV3PKzM3LA5zt.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 4.2.z95g0YV3PKzM3LA5zt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e65858.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z95g0YV3PKzM3LA5zt.exe.3e86278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.4622343107.0000000003316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4621138342.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176276577.0000000003E65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4622343107.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z95g0YV3PKzM3LA5zt.exe PID: 3608, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518579 Sample: z95g0YV3PKzM3LA5zt.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 19 reallyfreegeoip.org 2->19 21 checkip.dyndns.org 2->21 23 checkip.dyndns.com 2->23 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 37 6 other signatures 2->37 7 z95g0YV3PKzM3LA5zt.exe 3 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 19->35 process4 file5 17 C:\Users\user\...\z95g0YV3PKzM3LA5zt.exe.log, ASCII 7->17 dropped 39 Injects a PE file into a foreign processes 7->39 11 z95g0YV3PKzM3LA5zt.exe 15 2 7->11         started        15 z95g0YV3PKzM3LA5zt.exe 7->15         started        signatures6 process7 dnsIp8 25 reallyfreegeoip.org 188.114.96.3, 443, 49715, 49716 CLOUDFLARENETUS European Union 11->25 27 checkip.dyndns.com 132.226.247.73, 49713, 49717, 49720 UTMEMUS United States 11->27 41 Tries to steal Mail credentials (via file / registry access) 11->41 43 Tries to harvest and steal browser information (history, passwords, etc) 11->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown