File name:

keylogger.exe

Full analysis: https://app.any.run/tasks/849ae6c3-1ddd-4c52-a2dc-d5d97902f19f
Verdict: Malicious activity
Analysis date: February 05, 2024, 21:28:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

2252D22159BEE226D369476F40A36AAF

SHA1:

E6D71C86BDA19AA9BFACE3A3FA283408D5E9B85D

SHA256:

556F39B521FF9CBA0B5C3BF77526B55995F03614A4D2E924D30AC5532BB3758B

SSDEEP:

98304:TWBtKGhFrBlPb8CR9J3tTI8duMEP4w2PXYitK+17API5EQNwHcjyjCkNl5HfXGse:o86HflHrTT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keylogger.exe (PID: 532)

  • SUSPICIOUS

    • Application launched itself

      • keylogger.exe (PID: 532)

    • The process drops C-runtime libraries

      • keylogger.exe (PID: 532)

    • Process drops legitimate windows executable

      • keylogger.exe (PID: 532)

    • Executable content was dropped or overwritten

      • keylogger.exe (PID: 532)

    • Starts CMD.EXE for commands execution

      • keylogger.exe (PID: 1652)

    • Loads Python modules

      • keylogger.exe (PID: 1652)

  • INFO

    • Checks supported languages

      • keylogger.exe (PID: 532)
      • keylogger.exe (PID: 1652)

    • Reads the computer name

      • keylogger.exe (PID: 532)

    • Reads the machine GUID from the registry

      • keylogger.exe (PID: 1652)

    • Create files in a temporary directory

      • keylogger.exe (PID: 532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:20 17:40:28+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 151552
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0x99e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keylogger.exe keylogger.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
1632C:\Windows\system32\cmd.exe /c clsC:\Windows\System32\cmd.exekeylogger.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exekeylogger.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei5322\ucrtbase.dll
Total events
44
Read events
44
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_lzma.pydexecutable
MD5:FCBCEB644F1D31EF3EE573BCA0A11601
SHA256:1B597EEB44FE2986E85C9C501670B88C267B8CDDBB453FCC5832F609080F13FC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:31E8D89F4FC47FA2BA3B67529E4A0D5C
SHA256:5DB8413A554551972009FA1A55B98DFAF1BE31BF2EEA726A6A5291ABD172B4E9
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\VCRUNTIME140.dllexecutable
MD5:2EBF45DA71BD8EF910A7ECE7E4647173
SHA256:CF39E1E81F57F42F4D60ABC1D30ECF7D773E576157AA88BBC1D672BF5AD9BB8B
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_hashlib.pydexecutable
MD5:CD63FE1D1D0932A10D26BB1C83BABE7F
SHA256:CBBF64E3CA0C746539F276A675763E62B2FC43E3D7AC9DC03A9D17CFD978DE87
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:5788A05D60D71C86902FD6C53BBC8B69
SHA256:55E376DE2F524DEC126D84D1EF1D2B05FA0AB7E4055904ADF19384D6272D465C
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_socket.pydexecutable
MD5:8110278FC119B04E482A97995027C1D3
SHA256:97B02EE9818260D0FA01170BDE0B51382698E5C02E88C596B9622EB49979E4BC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:9B1EE5133D3F0ABB91AD9D4190B6FC26
SHA256:7099462A4A4330131F7929ED84ED5E2F1F2129F9565DE8BDF58E21DBA136159F
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:61CE260A4D0392C9AE16B01801E49A9A
SHA256:2170B1D9C435B13320855CA5B2F443251AF5785B98B1D9536F039D1309304E62
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:3D135F0AA9292455285737D78F5A268B
SHA256:0B171DDD8ED3B55BD907FBDD7577A59774E0915A909127029D07CCC84BC7429B
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_ssl.pydexecutable
MD5:D4B663EA8B57FABB82A862041380BB5B
SHA256:AFCE038CA36589040C5DCD1476CF53329DCE3E6A592A10DD71D1A456D7244591
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
keylogger.exe