File name:

keyfinder.exe

Full analysis: https://app.any.run/tasks/666abbfb-0ad1-4dff-8a68-dfca3ef7d11d
Verdict: Malicious activity
Analysis date: July 01, 2024, 18:10:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4187DFAF99E89CC211EB3F2BF6AF81CA

SHA1:

55FC92048228AAAB920A9D164DFF7BA92117EC82

SHA256:

3CF64F198A3A58F608639823AE689CBFF75DC475996CBD14EBD16550D9886F1C

SSDEEP:

12288:XQx8br+SgmYjgVobXcJTEjK25I3yWwR4C0Ecnb/Lxh+khPg85:PfQjUT/25a87inxIX85

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keyfinder.exe (PID: 116)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • keyfinder.exe (PID: 116)

  • INFO

    • Checks supported languages

      • keyfinder.exe (PID: 116)

    • Reads Environment values

      • keyfinder.exe (PID: 116)

    • Reads the computer name

      • keyfinder.exe (PID: 116)

    • Reads Windows Product ID

      • keyfinder.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 601088
InitializedDataSize: 193024
UninitializedDataSize: -
EntryPoint: 0x938fc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.10.14
ProductVersionNumber: 2.0.10.14
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ONE UP LTD.
FileDescription: Magical Jelly Bean Keyfinder
FileVersion: 2.0.10.14
InternalName: KeyFinder
LegalCopyright: © ONE UP LTD. All rights reserved.
LegalTrademarks: -
OriginalFileName: keyfinder.exe
ProductName: Magical Jelly Bean Keyfinder
ProductVersion: 2.0.10.14
Comments: Product key recovery utility
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keyfinder.exe keyfinder.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\keyfinder.exe" C:\Users\admin\AppData\Local\Temp\keyfinder.exe
explorer.exe
User:
admin
Company:
ONE UP LTD.
Integrity Level:
HIGH
Description:
Magical Jelly Bean Keyfinder
Version:
2.0.10.14
Modules
Images
c:\users\admin\appdata\local\temp\keyfinder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4804"C:\Users\admin\AppData\Local\Temp\keyfinder.exe" C:\Users\admin\AppData\Local\Temp\keyfinder.exeexplorer.exe
User:
admin
Company:
ONE UP LTD.
Integrity Level:
MEDIUM
Description:
Magical Jelly Bean Keyfinder
Exit code:
3221226540
Version:
2.0.10.14
Modules
Images
c:\users\admin\appdata\local\temp\keyfinder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
107
Read events
107
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
56
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4328
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
5404
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
1912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
2444
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4636
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4656
SearchApp.exe
92.123.104.38:443
www.bing.com
Akamai International B.V.
DE
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1544
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4656
SearchApp.exe
92.123.104.51:443
www.bing.com
Akamai International B.V.
DE
unknown
1060
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.38
  • 92.123.104.37
  • 92.123.104.51
  • 92.123.104.50
  • 92.123.104.56
  • 92.123.104.35
  • 92.123.104.45
  • 92.123.104.42
  • 92.123.104.36
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.76
whitelisted
r.bing.com
  • 92.123.104.51
  • 92.123.104.42
  • 92.123.104.36
  • 92.123.104.37
  • 92.123.104.56
  • 92.123.104.38
  • 92.123.104.35
  • 92.123.104.45
  • 92.123.104.50
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
keyfinder.exe