File name:

16052025_0517_15052025_2025DDPDAP_LeamchabangBKK_Valves_Spec.rar

Full analysis: https://app.any.run/tasks/713ab225-f632-4215-a7bb-f31ab46b829f
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 05:26:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
snake
keylogger
telegram
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AD7A44A52EC4A549CF7C12527C5DAF47

SHA1:

B381D3C01CBDEE422ABEDC8756CC7BA22F75A355

SHA256:

B59B635D63CE2A931E8EFF34542766CE4B6BDB71E381952B676B87B0BC812CAC

SSDEEP:

12288:Y8Lb1wuHOb7qIsq5xmSVLLrU868zk4988qfXHWtzjdF7bClHNJs9:YIbNHfdUmSNLl68z1988+XHWtzr7bClm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7332)

    • SNAKE has been detected (YARA)

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Actions looks like stealing of personal data

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Steals credentials from Web Browsers

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Executable content was dropped or overwritten

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Application launched itself

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Reads security settings of Internet Explorer

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Checks for external IP

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)
      • svchost.exe (PID: 2196)

    • There is functionality for taking screenshot (YARA)

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • The process verifies whether the antivirus software is installed

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

  • INFO

    • Reads the computer name

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)
      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Checks supported languages

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)
      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Manual execution by a user

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Create files in a temporary directory

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7508)

    • Checks proxy server information

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)
      • slui.exe (PID: 7900)

    • Reads the software policy settings

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)
      • slui.exe (PID: 7900)

    • Disables trace logs

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Reads the machine GUID from the registry

      • 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe (PID: 7668)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(7668) 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Userrequirementslog@cybertechllc.top
SMTP Password7213575aceACE@@#
SMTP Hostmail.cybertechllc.top
SMTP SendTorequirements@cybertechllc.top
SMTP Port587
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 432946
UncompressedSize: 447434
OperatingSystem: Win32
ArchivedFileName: 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs 2025ddp  dap_ leamchabang bkk _valves_spec.exe #SNAKE 2025ddp  dap_ leamchabang bkk _valves_spec.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7332"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\16052025_0517_15052025_2025DDPDAP_LeamchabangBKK_Valves_Spec.rarC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7508"C:\Users\admin\Desktop\2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe" C:\Users\admin\Desktop\2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
explorer.exe
User:
admin
Company:
kodemodulerne skribentens fodvorter
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\2025ddp dap_ leamchabang bkk _valves_spec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7668"C:\Users\admin\Desktop\2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe" C:\Users\admin\Desktop\2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
User:
admin
Company:
kodemodulerne skribentens fodvorter
Integrity Level:
MEDIUM
Version:
2.5.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\2025ddp dap_ leamchabang bkk _valves_spec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
SnakeKeylogger
(PID) Process(7668) 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Keys
DES6fc98cd68a1aab8b
Options
SMTP Userrequirementslog@cybertechllc.top
SMTP Password7213575aceACE@@#
SMTP Hostmail.cybertechllc.top
SMTP SendTorequirements@cybertechllc.top
SMTP Port587
7900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
9 047
Read events
9 025
Write events
22
Delete events
0

Modification events

(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\16052025_0517_15052025_2025DDPDAP_LeamchabangBKK_Valves_Spec.rar
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7332) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7668) 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2025DDP DAP_ Leamchabang BKK _Valves_Spec_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7668) 2025DDP DAP_ Leamchabang BKK _Valves_Spec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\2025DDP DAP_ Leamchabang BKK _Valves_Spec_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\Menneskevrdige.Udsbinary
MD5:44D31156125795CA4ED5550ECAFEB4F4
SHA256:1F7D5D71BFDBA71858FCA9340BAC6C466E6B96D0B9D74E547DFBC3D7943FC6DB
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\volker.harbinary
MD5:78F88E5F1FB1ED91604A182663843211
SHA256:CAE8F0AE3A17EB5F2425597375CBAD1747490E58B63602AE94FABE4F3FB56FFA
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\frostsikrede.txttext
MD5:17B96C1028F23829CCB30D63FB3E18AE
SHA256:ACC494DCBD31D7EF9113FF26B9ED691282EF68297282F28FA1C163707FCFCE7B
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\Commendableness129.initext
MD5:2FAE8FC82C37B9FF3AC0AF4A36AA9692
SHA256:48FAD79D924973360B74E6B0F1C874F4307270F26BF1F2C5BE25F5A0B772000F
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\Vejbygningerne.Capbinary
MD5:3B16D9E45D95F2EC1F01DF1F531BB2A3
SHA256:F741B0E6F056063354C349FF0BCF5F3AA35174777E8AA8EEC3EFDCA48D89E5C5
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\AppData\Local\Temp\tmc.initext
MD5:F6A80CF0B011E1638B38D8EAA2A9629B
SHA256:AB3B162F39F8FDBD8DD767791EC116E75DA198FCE6BABBA6E1677044678714D8
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\Puberty.hesbinary
MD5:61A369F5F4EEFCBD1CED538E099F02E6
SHA256:938429A1B8EBF8D2D1F26F030E756BDBAE974DE847AEF24DA12B40CE84CCC407
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\AppData\Local\Temp\nsmD3ED.tmp\System.dllexecutable
MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
SHA256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\desultoriness.oxybinary
MD5:77CCE649F4D8495834ACB2FE121B8698
SHA256:9F1988E19C6AABDE73ABA2410BB476F46159E2A89F37792D1364033360CCEA0F
75082025DDP DAP_ Leamchabang BKK _Valves_Spec.exeC:\Users\admin\trendsetter\cebine\ecumenicism\fred.jpgbinary
MD5:6315D7ADEAA1B8D398BBCD07178C1EB8
SHA256:DD2529259F021B6F243C79ABA236439B5FDD0A3B6AC9E86401880F731DB66B02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
26
DNS requests
12
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
502
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4112
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
142.250.184.206:443
drive.google.com
GOOGLE
US
whitelisted
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
142.250.186.129:443
drive.usercontent.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
drive.google.com
  • 142.250.184.206
whitelisted
drive.usercontent.google.com
  • 142.250.186.129
whitelisted
checkip.dyndns.org
  • 132.226.8.169
  • 158.101.44.242
  • 193.122.6.168
  • 132.226.247.73
  • 193.122.130.0
whitelisted
reallyfreegeoip.org
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
malicious
api.telegram.org
  • 149.154.167.220
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2196
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
7668
2025DDP DAP_ Leamchabang BKK _Valves_Spec.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
16052025_0517_15052025_2025DDPDAP_LeamchabangBKK_Valves_Spec.rar