File name:	a5c1c0eb16016e22e2df4c09e91929d0f1aa4dc55c4e3d3f6d1b33918589eb5a.zip
Full analysis:	https://app.any.run/tasks/b196e527-3a54-4dd8-a90b-dd8c0a015f4f
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 01, 2025, 05:36:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec auto-sch-xml snake keylogger evasion stealer ims-api generic
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	08C5F7DE76B6ADAA973ADE0FD97E9027
SHA1:	A2DAE2B8A0C2B6EBB777D5C028617F0C0B30CD99
SHA256:	A5C1C0EB16016E22E2DF4C09E91929D0F1AA4DC55C4E3D3F6D1B33918589EB5A
SSDEEP:	12288:LgM7QCD80J2X2HYx+dqOm6wi4l/Zd1pYDG131lHMn:LgM7F4W2X+Yx776wtl/f1p331lsn

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:07:31 20:59:02
ZipCRC:	0x3063530a
ZipCompressedSize:	463256
ZipUncompressedSize:	550920
ZipFileName:	PO#240145.bat


(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\a5c1c0eb16016e22e2df4c09e91929d0f1aa4dc55c4e3d3f6d1b33918589eb5a.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2384) PO#240145.bat	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO#240145_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2384) PO#240145.bat	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\PO#240145_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
504	PO#240145.bat	C:\Users\admin\AppData\Roaming\FSEUWuGde.exe		executable
		MD5:F11B7752D4D90ABCE909F3C580AEDD1C	SHA256:F6DC3F5E765A384C8317D418BE852E6B1909B89B2F90EA5483858FCA4CFFED4F
504	PO#240145.bat	C:\Users\admin\AppData\Local\Temp\tmp2B2D.tmp		xml
		MD5:896313A9DE4B05FA75157B23A0DEF7B7	SHA256:8F7F331BAE4EC6C27A50C2F0BAD67BD87213E4EB3C7AD96382B2840BE1F36FA9
6748	FSEUWuGde.exe	C:\Users\admin\AppData\Local\Temp\tmp749A.tmp		xml
		MD5:896313A9DE4B05FA75157B23A0DEF7B7	SHA256:8F7F331BAE4EC6C27A50C2F0BAD67BD87213E4EB3C7AD96382B2840BE1F36FA9
4120	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		text
		MD5:C971152AA48A3AC3E63FE9C550955011	SHA256:3ED987727C66B677F8192ABCB22E80D98C5CE6366AFC5B258D435CFE25A20B0E
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6492.49905\a5c1c0eb16016e22e2df4c09e91929d0f1aa4dc55c4e3d3f6d1b33918589eb5a.zip\PO#240145.bat		executable
		MD5:F11B7752D4D90ABCE909F3C580AEDD1C	SHA256:F6DC3F5E765A384C8317D418BE852E6B1909B89B2F90EA5483858FCA4CFFED4F
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6492.49905\Rar$Scan97877.bat		text
		MD5:7E8310A7812A51BD6DA0FCE9E0822927	SHA256:88A497CBF6800A9ABACF35BA7F63F2442EBDB8F7DBE711F8C39D9F8A6FA00C4C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4944	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4944	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2384	PO#240145.bat	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
2384	PO#240145.bat	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
2384	PO#240145.bat	GET	200	132.226.247.73:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
—	—	GET	200	104.21.80.1:443	https://reallyfreegeoip.org/xml/109.26.61.227	unknown	text	352 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4944	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4944	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 23.216.77.42	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
checkip.dyndns.org	132.226.247.73 193.122.6.168 193.122.130.0 158.101.44.242 132.226.8.169	whitelisted
reallyfreegeoip.org	104.21.96.1 104.21.80.1 104.21.64.1 104.21.32.1 104.21.112.1 104.21.16.1 104.21.48.1	malicious
cphost14.qhoster.net	78.110.166.82	malicious
self.events.data.microsoft.com	20.42.65.89	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
2384	PO#240145.bat	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
2384	PO#240145.bat	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2200	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
2384	PO#240145.bat	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
2384	PO#240145.bat	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2200	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
2384	PO#240145.bat	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
1156	FSEUWuGde.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
1156	FSEUWuGde.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check

General Info

a5c1c0eb16016e22e2df4c09e91929d0f1aa4dc55c4e3d3f6d1b33918589eb5a.zip

08C5F7DE76B6ADAA973ADE0FD97E9027

A2DAE2B8A0C2B6EBB777D5C028617F0C0B30CD99

A5C1C0EB16016E22E2DF4C09E91929D0F1AA4DC55C4E3D3F6D1B33918589EB5A

12288:LgM7QCD80J2X2HYx+dqOm6wi4l/Zd1pYDG131lHMn:LgM7F4W2X+Yx776wtl/f1p331lsn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SNAKEKEYLOGGER has been detected (SURICATA)

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

Generic archive extractor

Steals credentials from Web Browsers

SUSPICIOUS

Starts application with an unusual extension

Reads security settings of Internet Explorer

The process verifies whether the antivirus software is installed

Checks for external IP

Application launched itself

Possible usage of Discord/Telegram API has been detected (YARA)

Connects to SMTP port

Suspicious files were dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Executable content was dropped or overwritten

INFO

Manual execution by a user

Creates files or folders in the user directory

Create files in a temporary directory

Process checks computer location settings

Disables trace logs

Checks supported languages

Reads the software policy settings

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats