| File name: | 7ab1efd728486ab6a006f5d4bd421291e0fdffe00ffca619c0b5560f02ff050b |
| Full analysis: | https://app.any.run/tasks/5ef56896-5168-4072-8e58-efd4f821fdc0 |
| Verdict: | Malicious activity |
| Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
| Analysis date: | May 19, 2025, 05:59:59 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 84FE8A7E73BFFFA2871596209D193FDB |
| SHA1: | F6CAD6D282F5BD84EEEA4BDD1364B789CB52D2EC |
| SHA256: | 7AB1EFD728486AB6A006F5D4BD421291E0FDFFE00FFCA619C0B5560F02FF050B |
| SSDEEP: | 96:0ffwbcpDHVvx3BvI58sQy6J8XvnT/fmZVFB2zo3OGKuJfdcL7PhmygI7lOtnAhw1:g51fxvMP6p8+1s7bcGbyt+83J |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 4424)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 4428)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 4428)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 4428)
Run PowerShell with an invisible window
- powershell.exe (PID: 6388)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 6388)
SNAKEKEYLOGGER has been detected (SURICATA)
- MSBuild.exe (PID: 728)
Actions looks like stealing of personal data
- MSBuild.exe (PID: 728)
Steals credentials from Web Browsers
- MSBuild.exe (PID: 728)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 6388)
SUSPICIOUS
Executes script without checking the security policy
- powershell.exe (PID: 6388)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 4428)
Probably obfuscated PowerShell command line is found
- wscript.exe (PID: 4428)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 4428)
Base64-obfuscated command line is found
- wscript.exe (PID: 4428)
Runs shell command (SCRIPT)
- wscript.exe (PID: 4428)
Possibly malicious use of IEX has been detected
- wscript.exe (PID: 4428)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6388)
Potential Corporate Privacy Violation
- wscript.exe (PID: 4428)
- powershell.exe (PID: 6388)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 4424)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 4424)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 4424)
- powershell.exe (PID: 6388)
Likely accesses (executes) a file from the Public directory
- cmd.exe (PID: 1040)
Checks for external IP
- MSBuild.exe (PID: 728)
- svchost.exe (PID: 2196)
The process verifies whether the antivirus software is installed
- MSBuild.exe (PID: 728)
Possible usage of Discord/Telegram API has been detected (YARA)
- MSBuild.exe (PID: 728)
INFO
Manual execution by a user
- wscript.exe (PID: 4428)
Checks proxy server information
- wscript.exe (PID: 4428)
- powershell.exe (PID: 6388)
- MSBuild.exe (PID: 728)
- slui.exe (PID: 1388)
Converts byte array into Unicode string (POWERSHELL)
- powershell.exe (PID: 6388)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 6388)
Disables trace logs
- powershell.exe (PID: 6388)
- MSBuild.exe (PID: 728)
Found Base64 encoded reflection usage via PowerShell (YARA)
- powershell.exe (PID: 6388)
Checks supported languages
- MpCmdRun.exe (PID: 4620)
- MSBuild.exe (PID: 728)
Reads the computer name
- MpCmdRun.exe (PID: 4620)
- MSBuild.exe (PID: 728)
Create files in a temporary directory
- MpCmdRun.exe (PID: 4620)
Found Base64 encoded text manipulation via PowerShell (YARA)
- powershell.exe (PID: 6388)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6388)
Reads the software policy settings
- MSBuild.exe (PID: 728)
- slui.exe (PID: 1388)
Reads the machine GUID from the registry
- MSBuild.exe (PID: 728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:05:18 20:33:24 |
| ZipCRC: | 0x70c59353 |
| ZipCompressedSize: | 4583 |
| ZipUncompressedSize: | 358299 |
| ZipFileName: | inquiry.19.05.2025.js |
Total processes
137
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR4424.23261\Rar$Scan14722.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 1040 | "C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\dogsitting.js" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2552 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4424 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\7ab1efd728486ab6a006f5d4bd421291e0fdffe00ffca619c0b5560f02ff050b.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4428 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\inquiry.19.05.2025.js | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4620 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4424.23261" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4988 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
18 259
Read events
18 234
Write events
25
Delete events
0
Modification events
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\7ab1efd728486ab6a006f5d4bd421291e0fdffe00ffca619c0b5560f02ff050b.zip | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (4428) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 11E0100000000000 | |||
| (PID) Process: | (4424) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
0
Suspicious files
2
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fvopoedj.gj4.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4424 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4424.23261\Rar$Scan14722.bat | text | |
MD5:7613BAA8F5ABEDA4AD99ECED52478917 | SHA256:368C30F557A5867317406EEEA79A052495B9473C2280BCF9B91B8DEDB88A1684 | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_m0wgactq.2mx.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4620 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | binary | |
MD5:F4CF961C05A633BB936C784CA549ACE3 | SHA256:96C81521DDEB10E8A364F47F00888C088C590AE461BA7497B1662F76453E7C0E | |||
| 6388 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:910B22C815BF6E0A0459CF9EDA12AF3F | SHA256:6FD7D7BCF1F153983CE770711A3219B252B36FBA4D0A1E60A6DF262FD640B59B | |||
| 4424 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4424.23261\7ab1efd728486ab6a006f5d4bd421291e0fdffe00ffca619c0b5560f02ff050b.zip\inquiry.19.05.2025.js | text | |
MD5:CDE371BF7FAF6C46EDDDD00058BD0530 | SHA256:F8080402AF500A80BB022BE1749A7D4DC026D6FDF877FBD5E0A139BD7EC561CE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
59
DNS requests
22
Threats
18
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4628 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4428 | wscript.exe | GET | 301 | 23.186.113.60:80 | http://paste.ee/d/CwbSUEni/0 | unknown | — | — | shared |
4408 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
4408 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
6388 | powershell.exe | GET | 301 | 23.186.113.60:80 | http://paste.ee/d/H65haWFV/0 | unknown | — | — | shared |
4408 | SIHClient.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
4408 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4408 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4628 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
2104 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4628 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4428 | wscript.exe | 23.186.113.60:80 | paste.ee | — | — | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
paste.ee |
| shared |
login.live.com |
| whitelisted |
archive.org |
| whitelisted |
dn721509.ca.archive.org |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Misc activity | ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee) |
4428 | wscript.exe | Potential Corporate Privacy Violation | ET INFO Pastebin-style Service (paste .ee) in TLS SNI |
— | — | A Network Trojan was detected | LOADER [ANY.RUN] Suspicious WinHttp Connection (paste .ee) |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558) |
— | — | A Network Trojan was detected | ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 |
6388 | powershell.exe | Potential Corporate Privacy Violation | ET INFO Pastebin-style Service (paste .ee) in TLS SNI |
— | — | Potentially Bad Traffic | PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound |