File name:

keylogger.exe

Full analysis: https://app.any.run/tasks/849ae6c3-1ddd-4c52-a2dc-d5d97902f19f
Verdict: Malicious activity
Analysis date: February 05, 2024, 21:28:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

2252D22159BEE226D369476F40A36AAF

SHA1:

E6D71C86BDA19AA9BFACE3A3FA283408D5E9B85D

SHA256:

556F39B521FF9CBA0B5C3BF77526B55995F03614A4D2E924D30AC5532BB3758B

SSDEEP:

98304:TWBtKGhFrBlPb8CR9J3tTI8duMEP4w2PXYitK+17API5EQNwHcjyjCkNl5HfXGse:o86HflHrTT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keylogger.exe (PID: 532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • keylogger.exe (PID: 532)

    • The process drops C-runtime libraries

      • keylogger.exe (PID: 532)

    • Application launched itself

      • keylogger.exe (PID: 532)

    • Loads Python modules

      • keylogger.exe (PID: 1652)

    • Process drops legitimate windows executable

      • keylogger.exe (PID: 532)

    • Starts CMD.EXE for commands execution

      • keylogger.exe (PID: 1652)

  • INFO

    • Checks supported languages

      • keylogger.exe (PID: 532)
      • keylogger.exe (PID: 1652)

    • Reads the computer name

      • keylogger.exe (PID: 532)

    • Create files in a temporary directory

      • keylogger.exe (PID: 532)

    • Reads the machine GUID from the registry

      • keylogger.exe (PID: 1652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:20 17:40:28+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 151552
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0x99e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keylogger.exe keylogger.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
1632C:\Windows\system32\cmd.exe /c clsC:\Windows\System32\cmd.exekeylogger.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exekeylogger.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei5322\ucrtbase.dll
Total events
44
Read events
44
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:3D135F0AA9292455285737D78F5A268B
SHA256:0B171DDD8ED3B55BD907FBDD7577A59774E0915A909127029D07CCC84BC7429B
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:4FE440D0E1A94A6EDF0082B898A90A23
SHA256:E7BC70DEB2906C8DA619ED47875CDD3BA3773C0B51F364D72E614E12D8FAA099
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_socket.pydexecutable
MD5:8110278FC119B04E482A97995027C1D3
SHA256:97B02EE9818260D0FA01170BDE0B51382698E5C02E88C596B9622EB49979E4BC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\VCRUNTIME140.dllexecutable
MD5:2EBF45DA71BD8EF910A7ECE7E4647173
SHA256:CF39E1E81F57F42F4D60ABC1D30ECF7D773E576157AA88BBC1D672BF5AD9BB8B
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_lzma.pydexecutable
MD5:FCBCEB644F1D31EF3EE573BCA0A11601
SHA256:1B597EEB44FE2986E85C9C501670B88C267B8CDDBB453FCC5832F609080F13FC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:4F4674D75B05EC0F1709657FFD1721C4
SHA256:7D2CF4E557B704D5488CB5C8EABAD9B87BCA6B56FCDAC4B88F5A3181215C8A85
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:5788A05D60D71C86902FD6C53BBC8B69
SHA256:55E376DE2F524DEC126D84D1EF1D2B05FA0AB7E4055904ADF19384D6272D465C
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_hashlib.pydexecutable
MD5:CD63FE1D1D0932A10D26BB1C83BABE7F
SHA256:CBBF64E3CA0C746539F276A675763E62B2FC43E3D7AC9DC03A9D17CFD978DE87
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:652C7CB040B1C20E19E1B821F3F24459
SHA256:5BEF7C226A29987A90075A393E85D0BA86DDD156A7FCEAEB364D293CD3905E5A
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_ctypes.pydexecutable
MD5:6264E928D931BD665FEBEDA1D1B15117
SHA256:A12FC926903B095C7CDE1C020B2519428845F485FF5964C296667246B2E0F262
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
keylogger.exe