File name: | Poenix Keylogger AIO.zip |
Full analysis: | https://app.any.run/tasks/9215283f-14fe-4f1f-b7ae-b17ff5385347 |
Verdict: | Malicious activity |
Analysis date: | January 25, 2022, 03:33:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8A661305BC62C4EE76EAEF71C9965BDC |
SHA1: | 9F01A1DA2AF1002B0930A664D0043E5C79E501AC |
SHA256: | DF9ECD91B0D24A1D0AD7F75A48D32DFEB9DD2453005C7A42BDF9B49C81A33DD5 |
SSDEEP: | 196608:XyP8g/e62p1vo+zBYcOHx52yF0ev9+9rGdUlufPV4ZCK46qYfgFbaqJH4YafJ27r:ie68hVdXwUiUlunuh46IaqLATEP |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2020:01:06 14:13:05 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Poenix Keylogger AIO/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2252 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Poenix Keylogger AIO.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
2716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) | ||||
2088 | "C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe" | C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe | — | Explorer.EXE |
User: admin Company: Phoenix Keylogger Integrity Level: MEDIUM Description: Phoenix Keylogger Exit code: 3221226540 Version: 2.1.0.0 | ||||
3388 | "C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe" | C:\Users\admin\Desktop\Poenix Keylogger AIO\px__p.exe | Explorer.EXE | |
User: admin Company: Phoenix Keylogger Integrity Level: HIGH Description: Phoenix Keylogger Exit code: 3489660927 Version: 2.1.0.0 | ||||
2912 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\hl3iyhcv.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | px__p.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual Basic Command Line Compiler Exit code: 0 Version: 12.0.51209.34209 | ||||
1784 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES20DF.tmp" "C:\Users\admin\AppData\Local\Temp\vbc76545414DBDF4E32A9A58EF5BD7CFA.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | vbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft� Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR | ||||
1656 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Poenix Keylogger AIO.zip | |||
(PID) Process: | (1656) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList |
Operation: | write | Name: | MRUList |
Value: a | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2252) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\PeebCore.dll | executable | |
MD5:128A51A403DDD07999E03E3A36D96579 | SHA256:90F882851DF247E60CEF36644E63A7927B243FC8F81B5CCB1ECFF8E9564D81F2 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\key.txt | text | |
MD5:F85BED186EDCDA64396F03C39C0CEAD3 | SHA256:FE5A222BEF09901D2391BC64951E0514A7BBE5ACC562034D428305557AC37D20 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\IconExtractor.dll | executable | |
MD5:36B46C48D2FBCDF839F0BB96BA20B386 | SHA256:02707BE9D1E86187D99ED2DC91DF6335D093FBEC1EE4B65B5DC16161615EC2F9 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.dll | executable | |
MD5:34EA7F7D66563F724318E322FF08F4DB | SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\dnlib.dll | executable | |
MD5:754A721EE1F1869394EC24212BBD7F30 | SHA256:A07EAF627F7CE270B0622DAD29BFCD6F8A9BC49701802F4ED2455FFEE7BC7307 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroSet UI.dll | odttf | |
MD5:996E8CA6FFB661DB1822B8EE73A49391 | SHA256:D405509CDD2B02CE0BD3E2087EEB9F55644B25C6269F743FF1F1B3BD0DAD526E | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.Fonts.dll | executable | |
MD5:65EF4B23060128743CEF937A43B82AA3 | SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26 | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.26721\Poenix Keylogger AIO\MetroFramework.Design.dll | executable | |
MD5:AB4C3529694FC8D2427434825F71B2B8 | SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65 | |||
3388 | px__p.exe | C:\Users\admin\AppData\Local\Temp\evb144A.tmp | executable | |
MD5:F42B53932C92BFF192EAEE9349845421 | SHA256:FF9B106F1B6B72881AACDE0AB84CEF2BB5870E57F6A0459EA7DD15D3CDBCD65E | |||
3388 | px__p.exe | C:\Users\admin\AppData\Local\Temp\evb13C9.tmp | executable | |
MD5:5432FD5BE3C50427082EE5CE5029D019 | SHA256:2F411C2B6935C46E2877AC1FA0BAB8D1B0FA481DA890B10A2B0133424709A795 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3388 | px__p.exe | 104.26.3.183:443 | cracked.to | Cloudflare Inc | US | suspicious |
Domain | IP | Reputation |
---|---|---|
cracked.to |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |