File name:

993e194d0d56ad1d5b65e1fd4bb01527ebf47a91f21ce4b562741757bb337788

Full analysis: https://app.any.run/tasks/57cff660-8ceb-43ff-b3a4-c68b1a60ca53
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 04:28:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
stealer
smtp
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

C3B256C6F974914112E833761E1AC15F

SHA1:

4EC9C0EF049CD6622DB2CCDBB61FF906740C4EC2

SHA256:

993E194D0D56AD1D5B65E1FD4BB01527EBF47A91F21CE4B562741757BB337788

SSDEEP:

24576:fAJJ6wsF4QVIVA3TlWENxloUlO00Ru4KvYQkggheJ9DtIZ:fAJJ6wsF4QVIVA3TlWENxCUlO00Ru4Kc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6872)

    • SNAKE has been detected (YARA)

      • 290425~PO.exe (PID: 5048)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • 290425~PO.exe (PID: 5048)

    • Actions looks like stealing of personal data

      • 290425~PO.exe (PID: 5048)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 290425~PO.exe (PID: 5048)

    • Application launched itself

      • 290425~PO.exe (PID: 3180)

    • The process verifies whether the antivirus software is installed

      • 290425~PO.exe (PID: 5048)

    • Connects to SMTP port

      • 290425~PO.exe (PID: 5048)

  • INFO

    • Manual execution by a user

      • 290425~PO.exe (PID: 3180)

    • Reads the machine GUID from the registry

      • 290425~PO.exe (PID: 3180)
      • 290425~PO.exe (PID: 5048)

    • Reads the computer name

      • 290425~PO.exe (PID: 3180)
      • 290425~PO.exe (PID: 5048)

    • Checks supported languages

      • 290425~PO.exe (PID: 5048)
      • 290425~PO.exe (PID: 3180)

    • Checks proxy server information

      • 290425~PO.exe (PID: 5048)
      • slui.exe (PID: 5024)

    • Disables trace logs

      • 290425~PO.exe (PID: 5048)

    • Reads the software policy settings

      • 290425~PO.exe (PID: 5048)
      • slui.exe (PID: 5024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:29 02:42:20
ZipCRC: 0x04b6055f
ZipCompressedSize: 586852
ZipUncompressedSize: 691200
ZipFileName: 290425~PO.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs 290425~po.exe no specs #SNAKEKEYLOGGER 290425~po.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3180"C:\Users\admin\Desktop\290425~PO.exe" C:\Users\admin\Desktop\290425~PO.exeexplorer.exe
User:
admin
Company:
Phantom Dimension Software
Integrity Level:
MEDIUM
Description:
LexiQuest Deluxe
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\290425~po.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5024C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5048"C:\Users\admin\Desktop\290425~PO.exe"C:\Users\admin\Desktop\290425~PO.exe
290425~PO.exe
User:
admin
Company:
Phantom Dimension Software
Integrity Level:
MEDIUM
Description:
LexiQuest Deluxe
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\290425~po.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6872"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\993e194d0d56ad1d5b65e1fd4bb01527ebf47a91f21ce4b562741757bb337788.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
9 023
Read events
8 993
Write events
30
Delete events
0

Modification events

(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\993e194d0d56ad1d5b65e1fd4bb01527ebf47a91f21ce4b562741757bb337788.zip
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(6872) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
24
DNS requests
8
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.32.1:443
https://reallyfreegeoip.org/xml/185.129.31.176
unknown
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.48.1:443
https://reallyfreegeoip.org/xml/185.129.31.176
unknown
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.64.1:443
https://reallyfreegeoip.org/xml/185.129.31.176
unknown
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.16.1:443
https://reallyfreegeoip.org/xml/185.129.31.176
unknown
5048
290425~PO.exe
GET
200
158.101.44.242:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5048
290425~PO.exe
158.101.44.242:80
checkip.dyndns.org
ORACLE-BMC-31898
US
whitelisted
5048
290425~PO.exe
104.21.112.1:443
reallyfreegeoip.org
CLOUDFLARENET
malicious
4200
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5048
290425~PO.exe
148.66.137.31:587
mail.villsunlab.com
AS-26496-GO-DADDY-COM-LLC
SG
malicious
5024
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
checkip.dyndns.org
  • 158.101.44.242
  • 193.122.130.0
  • 132.226.8.169
  • 132.226.247.73
  • 193.122.6.168
whitelisted
reallyfreegeoip.org
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.32.1
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
mail.villsunlab.com
  • 148.66.137.31
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
5048
290425~PO.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
5048
290425~PO.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
993e194d0d56ad1d5b65e1fd4bb01527ebf47a91f21ce4b562741757bb337788