Andariel, also tracked as APT45, Silent Chollima, and Onyx Sleet, is linked in the source to a recently disclosed keylogger used against U.S. organizations. The malware installs low level keyboard and mouse hooks with SetWindowsHookExW, persists by modifying the Windows Run registry key, and hides execution flow with junk code and an encrypted payload that is decrypted in memory. It writes captured activity to a password protected archive named DT_0004.tmp in %TEMP%, which extracts a04.log. The Hybrid Analysis view shows credential theft risk and anti-analysis tradecraft useful for detecting the sample.