File name:

PriceRequestforOrder.exe

Full analysis: https://app.any.run/tasks/272c4d0b-03e7-4a10-abc5-f9677185e20e
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 08:49:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
snake
keylogger
evasion
netreactor
stealer
smtp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7A38D9A10FF810F0AF23D5FFEA5596CD

SHA1:

107F203D83DB44D09908622BAFA68FBE20B9AD1D

SHA256:

11A6F8044B9078F2D4617C4523F6540948A71B26B38890CA099F5A74DDD217A6

SSDEEP:

24576:2Ax8gxgYlCPkuTE/RROfgS0XvuBtQ3ukq1SY06LvhCnQ2V3ULJe9cbjV5HKkezwI:2Ax8gxgYlCPkuTE/RROfgS0XvuBtQeJz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • PriceRequestforOrder.exe (PID: 7388)

    • Steals credentials from Web Browsers

      • PriceRequestforOrder.exe (PID: 7788)

    • SNAKE has been detected (YARA)

      • PriceRequestforOrder.exe (PID: 7788)

    • Actions looks like stealing of personal data

      • PriceRequestforOrder.exe (PID: 7788)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • PriceRequestforOrder.exe (PID: 7788)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PriceRequestforOrder.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • PriceRequestforOrder.exe (PID: 7388)

    • Application launched itself

      • PriceRequestforOrder.exe (PID: 7388)

    • The process verifies whether the antivirus software is installed

      • PriceRequestforOrder.exe (PID: 7788)

    • Checks for external IP

      • PriceRequestforOrder.exe (PID: 7788)
      • svchost.exe (PID: 2196)

    • Connects to SMTP port

      • PriceRequestforOrder.exe (PID: 7788)

  • INFO

    • Reads the computer name

      • PriceRequestforOrder.exe (PID: 7388)
      • PriceRequestforOrder.exe (PID: 7788)

    • Reads the machine GUID from the registry

      • PriceRequestforOrder.exe (PID: 7388)
      • PriceRequestforOrder.exe (PID: 7788)

    • Checks supported languages

      • PriceRequestforOrder.exe (PID: 7388)
      • PriceRequestforOrder.exe (PID: 7788)

    • Create files in a temporary directory

      • PriceRequestforOrder.exe (PID: 7388)

    • Creates files or folders in the user directory

      • PriceRequestforOrder.exe (PID: 7388)

    • .NET Reactor protector has been detected

      • PriceRequestforOrder.exe (PID: 7388)

    • Process checks computer location settings

      • PriceRequestforOrder.exe (PID: 7388)

    • Disables trace logs

      • PriceRequestforOrder.exe (PID: 7788)

    • Checks proxy server information

      • PriceRequestforOrder.exe (PID: 7788)
      • slui.exe (PID: 8132)

    • Reads the software policy settings

      • PriceRequestforOrder.exe (PID: 7788)
      • slui.exe (PID: 8132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(7788) PriceRequestforOrder.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Usergeetanjali.kalra@bsc-icc.co
SMTP PasswordB$ciC@($%)#
SMTP Hostmail.bsc-icc.co
SMTP SendTodwaynesimpson112@proton.me
SMTP Port587
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:15 02:06:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 590336
InitializedDataSize: 9728
UninitializedDataSize: -
EntryPoint: 0x9201e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: High-performance genetic modeling and evolutionary simulation platform with advanced phylogenetic analysis, CRISPR pathway modeling, and genomic visualization capabilities
CompanyName: Nucleogenesis Laboratories
FileDescription: HeliχPrime
FileVersion: 0.0.0.0
InternalName: VlOH.exe
LegalCopyright: © Nucleogenesis Laboratories 2025 | Patent Pending
LegalTrademarks: Heliχ™ · EvoSim™ · BioDigital Sequence™
OriginalFileName: VlOH.exe
ProductName: H⃝e⃝l⃝i⃝χ⃝P⃝r⃝i⃝m⃝e⃝
ProductVersion: Heliχ.Prime.3.Darwin
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pricerequestfororder.exe schtasks.exe no specs conhost.exe no specs #SNAKE pricerequestfororder.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7388"C:\Users\admin\Desktop\PriceRequestforOrder.exe" C:\Users\admin\Desktop\PriceRequestforOrder.exe
explorer.exe
User:
admin
Company:
Nucleogenesis Laboratories
Integrity Level:
MEDIUM
Description:
HeliχPrime
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\pricerequestfororder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7720"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QrWYYzg" /XML "C:\Users\admin\AppData\Local\Temp\tmp124C.tmp"C:\Windows\SysWOW64\schtasks.exePriceRequestforOrder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7788"C:\Users\admin\Desktop\PriceRequestforOrder.exe"C:\Users\admin\Desktop\PriceRequestforOrder.exe
PriceRequestforOrder.exe
User:
admin
Company:
Nucleogenesis Laboratories
Integrity Level:
MEDIUM
Description:
HeliχPrime
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\pricerequestfororder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(7788) PriceRequestforOrder.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Usergeetanjali.kalra@bsc-icc.co
SMTP PasswordB$ciC@($%)#
SMTP Hostmail.bsc-icc.co
SMTP SendTodwaynesimpson112@proton.me
SMTP Port587
8132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 068
Read events
8 054
Write events
14
Delete events
0

Modification events

(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7788) PriceRequestforOrder.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PriceRequestforOrder_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7388PriceRequestforOrder.exeC:\Users\admin\AppData\Roaming\QrWYYzg.exeexecutable
MD5:7A38D9A10FF810F0AF23D5FFEA5596CD
SHA256:11A6F8044B9078F2D4617C4523F6540948A71B26B38890CA099F5A74DDD217A6
7388PriceRequestforOrder.exeC:\Users\admin\AppData\Local\Temp\tmp124C.tmpxml
MD5:E725B4027CCDDB52B1797B1BE1905447
SHA256:CC49EB1646A1F42527B7E4016D4BF146B069C0A02DFE6E6081B0777F0A28F52E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
54
DNS requests
21
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6708
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7788
PriceRequestforOrder.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
7788
PriceRequestforOrder.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
7788
PriceRequestforOrder.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
7788
PriceRequestforOrder.exe
GET
504
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
7952
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7952
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7952
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6708
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.17
  • 23.216.77.12
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.26
  • 23.216.77.22
  • 23.216.77.5
  • 23.216.77.25
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.0
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.128
whitelisted
checkip.dyndns.org
  • 158.101.44.242
  • 132.226.247.73
  • 193.122.130.0
  • 132.226.8.169
  • 193.122.6.168
whitelisted
reallyfreegeoip.org
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.48.1
malicious
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
7788
PriceRequestforOrder.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7788
PriceRequestforOrder.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PriceRequestforOrder.exe