File name:

keylogger.exe

Full analysis: https://app.any.run/tasks/849ae6c3-1ddd-4c52-a2dc-d5d97902f19f
Verdict: Malicious activity
Analysis date: February 05, 2024, 21:28:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

2252D22159BEE226D369476F40A36AAF

SHA1:

E6D71C86BDA19AA9BFACE3A3FA283408D5E9B85D

SHA256:

556F39B521FF9CBA0B5C3BF77526B55995F03614A4D2E924D30AC5532BB3758B

SSDEEP:

98304:TWBtKGhFrBlPb8CR9J3tTI8duMEP4w2PXYitK+17API5EQNwHcjyjCkNl5HfXGse:o86HflHrTT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keylogger.exe (PID: 532)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • keylogger.exe (PID: 532)

    • Executable content was dropped or overwritten

      • keylogger.exe (PID: 532)

    • Process drops legitimate windows executable

      • keylogger.exe (PID: 532)

    • Application launched itself

      • keylogger.exe (PID: 532)

    • Loads Python modules

      • keylogger.exe (PID: 1652)

    • Starts CMD.EXE for commands execution

      • keylogger.exe (PID: 1652)

  • INFO

    • Checks supported languages

      • keylogger.exe (PID: 532)
      • keylogger.exe (PID: 1652)

    • Reads the computer name

      • keylogger.exe (PID: 532)

    • Create files in a temporary directory

      • keylogger.exe (PID: 532)

    • Reads the machine GUID from the registry

      • keylogger.exe (PID: 1652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:20 17:40:28+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 151552
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0x99e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keylogger.exe keylogger.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
1632C:\Windows\system32\cmd.exe /c clsC:\Windows\System32\cmd.exekeylogger.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652"C:\Users\admin\AppData\Local\Temp\keylogger.exe" C:\Users\admin\AppData\Local\Temp\keylogger.exekeylogger.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keylogger.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei5322\ucrtbase.dll
Total events
44
Read events
44
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\VCRUNTIME140.dllexecutable
MD5:2EBF45DA71BD8EF910A7ECE7E4647173
SHA256:CF39E1E81F57F42F4D60ABC1D30ECF7D773E576157AA88BBC1D672BF5AD9BB8B
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_ssl.pydexecutable
MD5:D4B663EA8B57FABB82A862041380BB5B
SHA256:AFCE038CA36589040C5DCD1476CF53329DCE3E6A592A10DD71D1A456D7244591
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_ctypes.pydexecutable
MD5:6264E928D931BD665FEBEDA1D1B15117
SHA256:A12FC926903B095C7CDE1C020B2519428845F485FF5964C296667246B2E0F262
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_socket.pydexecutable
MD5:8110278FC119B04E482A97995027C1D3
SHA256:97B02EE9818260D0FA01170BDE0B51382698E5C02E88C596B9622EB49979E4BC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_hashlib.pydexecutable
MD5:CD63FE1D1D0932A10D26BB1C83BABE7F
SHA256:CBBF64E3CA0C746539F276A675763E62B2FC43E3D7AC9DC03A9D17CFD978DE87
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\_lzma.pydexecutable
MD5:FCBCEB644F1D31EF3EE573BCA0A11601
SHA256:1B597EEB44FE2986E85C9C501670B88C267B8CDDBB453FCC5832F609080F13FC
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:652C7CB040B1C20E19E1B821F3F24459
SHA256:5BEF7C226A29987A90075A393E85D0BA86DDD156A7FCEAEB364D293CD3905E5A
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:A5838BBDF6D1EE7B805B6416D785883D
SHA256:7030F292DBF5CE41A68122F5CE2E546AED974278537461A447ED18E7EE3317D2
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:8D9C2D7BC9FCA151C08FDB9AFA805219
SHA256:C9C8DFD8D0855E576B4E06C8BC50078001712D20802E636A98011020B16FDB69
532keylogger.exeC:\Users\admin\AppData\Local\Temp\_MEI5322\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:61CE260A4D0392C9AE16B01801E49A9A
SHA256:2170B1D9C435B13320855CA5B2F443251AF5785B98B1D9536F039D1309304E62
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
keylogger.exe