analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Keygen.exe

Full analysis: https://app.any.run/tasks/f19d67b8-cf2b-4949-bd64-0b58d7bad8e7
Verdict: Malicious activity
Analysis date: October 05, 2022, 04:00:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

3025F76F21EB7F7D162F6EF41D76E5F4

SHA1:

63AC89B44C2B79124A92160F0AE219F358E55117

SHA256:

ECD1258621BC2A3BBA4F47FD7BB31F62F98F77C6973218574E0D34EB38987C3A

SSDEEP:

3072:fpTeTHV14yehiPGjM/KfrXriuE7rQbP4uru0Pu0kyL:f6V1ZehiByDXriV7rOzru0Pu0H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks supported languages

      • Keygen.exe (PID: 3556)
    • Reads the computer name

      • Keygen.exe (PID: 3556)
  • INFO

    • Reads the computer name

      • opera.exe (PID: 2208)
    • Check for Java to be installed

      • opera.exe (PID: 2208)
    • Checks supported languages

      • opera.exe (PID: 2208)
    • Manual execution by user

      • opera.exe (PID: 2208)
    • Creates files in the user directory

      • opera.exe (PID: 2208)
    • Reads the date of Windows installation

      • opera.exe (PID: 2208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe | Win32 Executable MS Visual C++ (generic) (19.2)
.exe | Win64 Executable (generic) (17)
.scr | Windows screen saver (8)
.dll | Win32 Dynamic Link Library (generic) (4)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2077-Feb-13 18:32:04
Debug artifacts:
  • MobaXterm_Keygen.pdb
Comments: Keygen for MobaXterm Software
CompanyName: DeFconX
FileDescription: MobaXterm_Keygen
FileVersion: 1.5.0.0
InternalName: MobaXterm_Keygen.exe
LegalCopyright: Copyright © 2019
LegalTrademarks: DeltaFoX
OriginalFilename: MobaXterm_Keygen.exe
ProductName: MobaXterm_Keygen
ProductVersion: 1.5.0.0
Assembly Version: 1.5.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 4
TimeDateStamp: 2077-Feb-13 18:32:04
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
134548
134656
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.33685
.sdata
147456
354
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.99749
.rsrc
155648
39408
39424
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.93202
.reloc
196608
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.19256
16936
UNKNOWN
UNKNOWN
RT_ICON
2
3.27987
9640
UNKNOWN
UNKNOWN
RT_ICON
3
3.60944
4264
UNKNOWN
UNKNOWN
RT_ICON
4
3.77446
2440
UNKNOWN
UNKNOWN
RT_ICON
5
4.01242
1128
UNKNOWN
UNKNOWN
RT_ICON
32512
2.79808
76
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.35641
944
UNKNOWN
UNKNOWN
RT_VERSION
1 (#3)
4.988
3481
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keygen.exe no specs keygen.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Users\admin\Desktop\Keygen.exe" C:\Users\admin\Desktop\Keygen.exeExplorer.EXE
User:
admin
Company:
DeFconX
Integrity Level:
MEDIUM
Description:
MobaXterm_Keygen
Exit code:
3221226540
Version:
1.5.0.0
Modules
Images
c:\users\admin\desktop\keygen.exe
c:\windows\system32\ntdll.dll
3556"C:\Users\admin\Desktop\Keygen.exe" C:\Users\admin\Desktop\Keygen.exe
Explorer.EXE
User:
admin
Company:
DeFconX
Integrity Level:
HIGH
Description:
MobaXterm_Keygen
Exit code:
0
Version:
1.5.0.0
Modules
Images
c:\users\admin\desktop\keygen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2208"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
Explorer.EXE
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
2 814
Read events
2 636
Write events
175
Delete events
3

Modification events

(PID) Process:(3556) Keygen.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:4
Value:
4B0065007900670065006E002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
02000000010000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(3556) Keygen.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
Executable files
0
Suspicious files
126
Text files
519
Unknown types
53

Dropped files

PID
Process
Filename
Type
3556Keygen.exeC:\Users\admin\Desktop\Custom.mxtprocompressed
MD5:DD6D2CA41A441D11027F91451A856A15
SHA256:D69FF09E584C3327AEA7BA4562E3A97E1DFD4B8BE0B02E1FB72208C1CE82B2C1
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:08F05F620F9F4049A97610363C6C2DCC
SHA256:868C842FC50C0F0671BCEDE3FC8B977F351A2563816ACB4C26650F6C5EB4FA1B
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:34A47B3F0E13921F4185399BAE9F953A
SHA256:476247F358B2AECB238A84695FDFA5CD8415B36C7590A7381E18DFDFC57487C0
2208opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:3F7590FD56AC999E0289444034C9CC80
SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr25C3.tmptext
MD5:4A64448A88EBCD1FB7871D2794F5769C
SHA256:14F6D535FAB38EE25D2AE94690902A26E5202474EA5B73248808FAFD4ED42884
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr2613.tmpxml
MD5:08F05F620F9F4049A97610363C6C2DCC
SHA256:868C842FC50C0F0671BCEDE3FC8B977F351A2563816ACB4C26650F6C5EB4FA1B
2208opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MCSSJG7K0A7ZCY8VFOPJ.tempbinary
MD5:3F7590FD56AC999E0289444034C9CC80
SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:4A64448A88EBCD1FB7871D2794F5769C
SHA256:14F6D535FAB38EE25D2AE94690902A26E5202474EA5B73248808FAFD4ED42884
2208opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.datbinary
MD5:1AA8644C9261DC10F7247F6A145C1DD2
SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3
2208opera.exeC:\Users\admin\AppData\Local\Opera\Opera\icons\www.google.com.idxtext
MD5:4F4CA76D4EBCCC01C2AAE012ECB922DA
SHA256:A91C9BD9D991AD4C0CC89AAAAE56597A0D915B05FF117829895D300A50FC1A61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
82
TCP/UDP connections
333
DNS requests
82
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2208
opera.exe
GET
302
142.250.186.163:80
http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
411 b
whitelisted
2208
opera.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
592 b
whitelisted
2208
opera.exe
GET
302
142.250.186.163:80
http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest&google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D1250dd52f2868f87:TM%3D1664942482:C%3Dr:IP%3D185.192.70.91-:S%3D44ex6HXd9eiUC3QrMEvuXP0%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DWed,+05-Oct-2022+07:01:22+GMT
US
html
311 b
whitelisted
2208
opera.exe
GET
429
172.217.16.132:80
http://www.google.com/sorry/index?continue=http://www.google.com.ua/search%3Fq%3Danonfile%2Bupload%26sourceid%3Dopera%26ie%3Dutf-8%26oe%3Dutf-8%26channel%3Dsuggest&q=EgS5wEZbGIOD9JkGIhABPT9Xmbiqkq_LB-NLhRdMMgFy
US
html
3.15 Kb
whitelisted
2208
opera.exe
GET
200
142.250.186.110:80
http://clients1.google.com/complete/search?q=anonfil&client=opera-suggest-omnibox&hl=de
US
text
153 b
whitelisted
2208
opera.exe
GET
200
142.250.186.110:80
http://clients1.google.com/complete/search?q=anonfile+up&client=opera-suggest-omnibox&hl=de
US
text
83 b
whitelisted
2208
opera.exe
GET
302
142.250.186.163:80
http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
327 b
whitelisted
2208
opera.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCpbPuMmAsCyAoOaOAsy8qO
US
der
472 b
whitelisted
2208
opera.exe
GET
200
142.250.186.110:80
http://clients1.google.com/complete/search?q=anonfile&client=opera-suggest-omnibox&hl=de
US
text
152 b
whitelisted
2208
opera.exe
GET
200
142.250.185.131:80
http://crl.pki.goog/gtsr1/gtsr1.crl
US
der
760 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2208
opera.exe
142.250.186.110:80
clients1.google.com
GOOGLE
US
whitelisted
2208
opera.exe
185.26.182.93:80
certs.opera.com
Opera Software AS
whitelisted
2208
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2208
opera.exe
93.184.220.29:80
crl3.digicert.com
EDGECAST
GB
whitelisted
2208
opera.exe
172.217.16.132:443
www.google.com
GOOGLE
US
whitelisted
2208
opera.exe
142.250.186.163:80
www.google.com.ua
GOOGLE
US
whitelisted
2208
opera.exe
172.217.16.132:80
www.google.com
GOOGLE
US
whitelisted
2208
opera.exe
142.250.74.195:443
www.gstatic.com
GOOGLE
US
whitelisted
2208
opera.exe
142.250.185.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2208
opera.exe
172.217.16.195:443
fonts.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 142.250.186.110
whitelisted
www.google.com.ua
  • 142.250.186.163
whitelisted
sitecheck2.opera.com
  • 185.26.182.93
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.94
  • 185.26.182.106
  • 185.26.182.118
whitelisted
www.google.com
  • 172.217.16.132
whitelisted
ocsp.pki.goog
  • 142.250.185.131
whitelisted
crl.pki.goog
  • 142.250.185.131
whitelisted
www.gstatic.com
  • 142.250.74.195
whitelisted
fonts.gstatic.com
  • 172.217.16.195
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2208
opera.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2208
opera.exe
Potentially Bad Traffic
ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)
2208
opera.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3 ETPRO signatures available at the full report
No debug info