File name:

5950cae333c176be28ffd3868a5ebdf34db6e8705f58af62044ceb2d0538a5c6

Full analysis: https://app.any.run/tasks/91a9c472-1fea-4e21-be8e-696e9f316aef
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 02:14:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

ACC557E15D2E6B9C547B101A60A73851

SHA1:

11A104F3FEC39A67C7DC07118893C21BECD98DE5

SHA256:

5950CAE333C176BE28FFD3868A5EBDF34DB6E8705F58AF62044CEB2D0538A5C6

SSDEEP:

24576:hadWGKNX2fnxeJtjR9k0bjFM+MlvoApZkHDOTyaO2eK4V+Vz/9:hadWGKNX2fnxeJtjRq0bpM+MlvowZkHk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5512)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 1348)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • RegSvcs.exe (PID: 1348)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 1348)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 1348)

  • SUSPICIOUS

    • Executes application which crashes

      • SHO240908,1105,1202,1204.exe (PID: 1760)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 5512)

    • The process verifies whether the antivirus software is installed

      • RegSvcs.exe (PID: 1348)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • RegSvcs.exe (PID: 1348)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5512)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 5512)

  • INFO

    • Reads mouse settings

      • SHO240908,1105,1202,1204.exe (PID: 1760)

    • Create files in a temporary directory

      • SHO240908,1105,1202,1204.exe (PID: 1760)
      • MpCmdRun.exe (PID: 4112)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 1348)

    • Reads the computer name

      • RegSvcs.exe (PID: 1348)
      • MpCmdRun.exe (PID: 4112)

    • Manual execution by a user

      • SHO240908,1105,1202,1204.exe (PID: 1760)

    • Checks proxy server information

      • RegSvcs.exe (PID: 1348)
      • slui.exe (PID: 3884)

    • Checks supported languages

      • RegSvcs.exe (PID: 1348)
      • SHO240908,1105,1202,1204.exe (PID: 1760)
      • MpCmdRun.exe (PID: 4112)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 896)

    • Disables trace logs

      • RegSvcs.exe (PID: 1348)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 1348)
      • slui.exe (PID: 3884)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5512)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 5512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(1348) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA
Telegram Chat ID7000018009
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:25 00:59:38
ZipCRC: 0x3b4f82bf
ZipCompressedSize: 567039
ZipUncompressedSize: 994304
ZipFileName: SHO240908,1105,1202,1204.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sho240908,1105,1202,1204.exe #SNAKE regsvcs.exe werfault.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
896C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1760 -s 704C:\Windows\SysWOW64\WerFault.exeSHO240908,1105,1202,1204.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1348"C:\Users\admin\Desktop\SHO240908,1105,1202,1204.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
SHO240908,1105,1202,1204.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(1348) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA
Telegram Chat ID7000018009
1760"C:\Users\admin\Desktop\SHO240908,1105,1202,1204.exe" C:\Users\admin\Desktop\SHO240908,1105,1202,1204.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\sho240908,1105,1202,1204.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3884C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4112"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5512.23633"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
5512"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\5950cae333c176be28ffd3868a5ebdf34db6e8705f58af62044ceb2d0538a5c6.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6644C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5512.23633\Rar$Scan20628.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
10 663
Read events
10 640
Write events
23
Delete events
0

Modification events

(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\5950cae333c176be28ffd3868a5ebdf34db6e8705f58af62044ceb2d0538a5c6.zip
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1348) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1348) RegSvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegSvcs_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SHO240908_1105_1_9f624f3240db1d5e97f3c8158c3c0aaab1f934_c9731d83_b7458010-b6d0-47f1-a1ef-38388b58637d\Report.wer
MD5:
SHA256:
896WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\SHO240908_1105_1202_1204.exe.1760.dmpbinary
MD5:4D2FFB03AE0A0B80952A7F2C46EDD418
SHA256:81B33F659C090D10867B4C480401A2FF9D1BFE43A0CC16D83AAA460B897D757B
5512WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR5512.23633\Rar$Scan20628.battext
MD5:3DD1461A29A4FC8DE771498F65013DEA
SHA256:725CD379F003E7CCDEC5CE7C18B142E5C4E32AF40C99C75F0B84A59E092F8D8F
896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD0B2.tmp.xmlxml
MD5:BB11C6A054CCDD382F8AF2AF57E4E652
SHA256:1C75A060B8CDCAABE94524C6D1B0EEA37600D7AA90A2729054508984F94DA2DA
896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD072.tmp.WERInternalMetadata.xmlbinary
MD5:CA1FDA88C841193D12BCD9F3E157496D
SHA256:5F86441F38BF7AB7190AA00BCEEA3F74BB51210F56E1DC74E04C08C8B4C493BF
4112MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logbinary
MD5:7253C21FF58A924ED0B7F0F084D77A91
SHA256:75D855E912B59C8D88E478164E971C6E307EBB572157904542DCF55693833E52
5512WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR5512.23633\5950cae333c176be28ffd3868a5ebdf34db6e8705f58af62044ceb2d0538a5c6.zip\SHO240908,1105,1202,1204.exeexecutable
MD5:67525DB4AA41617712DF5AD533FC8F86
SHA256:1878A3F8A15A747D675ECBAF7FC6712252B58FDDF429B1551DAF9C8B62591DB5
1760SHO240908,1105,1202,1204.exeC:\Users\admin\AppData\Local\Temp\autC9F9.tmpbinary
MD5:4E0DD3E99F74B0516804CF8367A50C2F
SHA256:90319C7D7C6541DFDE89322D88ACE454DA6A5ABA34BB1D9DB7953546FBCEFA4C
1760SHO240908,1105,1202,1204.exeC:\Users\admin\AppData\Local\Temp\atulebinary
MD5:A6BBE4D81B3ED4D216B3A6A96AE7A329
SHA256:57EEFBD886371BAA55FEEC051842D225F8E6421085A65CEC42AE119BF3356266
896WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCF29.tmp.dmpbinary
MD5:95308F5E327E7596F14F6FA4A4BFCF2E
SHA256:7BB08E5317EE61A0CE40F32FF3E08DE5CE47292E8D986D6047A6C0551FC0AACC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
22
DNS requests
7
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
GET
200
104.21.80.1:443
https://reallyfreegeoip.org/xml/176.116.48.59
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
1348
RegSvcs.exe
GET
200
193.122.130.0:80
http://checkip.dyndns.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1348
RegSvcs.exe
193.122.130.0:80
checkip.dyndns.org
ORACLE-BMC-31898
US
unknown
1348
RegSvcs.exe
104.21.112.1:443
reallyfreegeoip.org
CLOUDFLARENET
unknown
4776
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3884
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
unknown
google.com
  • 216.58.206.78
unknown
checkip.dyndns.org
  • 193.122.130.0
  • 132.226.8.169
  • 132.226.247.73
  • 193.122.6.168
  • 158.101.44.242
unknown
reallyfreegeoip.org
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.32.1
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
1348
RegSvcs.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
1348
RegSvcs.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5950cae333c176be28ffd3868a5ebdf34db6e8705f58af62044ceb2d0538a5c6