File name:

1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe

Full analysis: https://app.any.run/tasks/eea66d64-1755-4123-baaf-bc358ca090f3
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 28, 2026, 09:32:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
valleyrat
rat
silverfox
winos
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 7 sections
MD5:

561F363852A87A3362D842247799B6E9

SHA1:

1B1C7000F12422C3C5CEB3D477F55BC5592AB907

SHA256:

1F2DF2AC7DD2CD160F4CF4006168830AC9DF2BBECD08CCD24A169A18154EAF01

SSDEEP:

12288:oEJxiY7ZMRt6j/CxuS0SiKUWmHUpwUOAglwyZG6RjyQ6t4r4gmLxi4yoqI8t4sOY:oE7V/CxuS0SiKUWmHUpwUOAglwyZG6Rj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • VALLEYRAT has been detected (YARA)

      • TextService.exe (PID: 1420)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)

    • Starts itself from another location

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)

  • INFO

    • The sample compiled with chinese language support

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)

    • Checks supported languages

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Reads the computer name

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Reads Environment values

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Create files in a temporary directory

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Reads security settings of Internet Explorer

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Reads the machine GUID from the registry

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
      • TextService.exe (PID: 1420)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe (PID: 684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ValleyRat

(PID) Process(1420) TextService.exe
C2 (1)156.234.58.194
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:09:18 05:27:07+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 84480
InitializedDataSize: 462848
UninitializedDataSize: -
EntryPoint: 0x13b5e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.9.7.55
ProductVersionNumber: 3.9.7.55
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: VRS Corpration.
FileDescription: Setup
FileVersion: 3.9.7.55
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2025
OriginalFileName: Setup.exe
ProductName: VRS
ProductVersion: 3.9.7.55
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe slui.exe #VALLEYRAT textservice.exe 1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Users\admin\Desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe" C:\Users\admin\Desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe
explorer.exe
User:
admin
Company:
VRS Corpration.
Integrity Level:
HIGH
Description:
Setup
Exit code:
0
Version:
3.9.7.55
Modules
Images
c:\users\admin\desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1420"C:\ProgramData\DESKTOP-JGLLJLD\TextService.exe" safestartC:\ProgramData\DESKTOP-JGLLJLD\TextService.exe
1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe
User:
admin
Company:
VRS Corpration.
Integrity Level:
HIGH
Description:
Setup
Version:
3.9.7.55
Modules
Images
c:\programdata\desktop-jglljld\textservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
ValleyRat
(PID) Process(1420) TextService.exe
C2 (1)156.234.58.194
2428C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7888"C:\Users\admin\Desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe" C:\Users\admin\Desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exeexplorer.exe
User:
admin
Company:
VRS Corpration.
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
3221226540
Version:
3.9.7.55
Modules
Images
c:\users\admin\desktop\1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe
c:\windows\system32\ntdll.dll
Total events
12 262
Read events
12 261
Write events
1
Delete events
0

Modification events

(PID) Process:(2428) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
1
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6841f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2sg3acgh.ema.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6841f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_myg5wcal.4a3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6841f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exeC:\ProgramData\DESKTOP-JGLLJLD\TextService.exeexecutable
MD5:561F363852A87A3362D842247799B6E9
SHA256:1F2DF2AC7DD2CD160F4CF4006168830AC9DF2BBECD08CCD24A169A18154EAF01
1420TextService.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e1hgqmb0.cco.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1420TextService.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ci5tsmi2.kbi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
56
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
48.209.133.15:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
8532
svchost.exe
GET
200
48.209.133.15:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
text
3.41 Kb
whitelisted
8532
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
9108
svchost.exe
POST
200
40.126.53.21:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
40.126.53.21:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
40.126.53.21:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
40.126.53.21:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
POST
400
40.126.53.21:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5276
MoUsoCoreWorker.exe
48.209.133.15:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
8332
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8532
svchost.exe
48.209.133.15:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.23.227.208:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8532
svchost.exe
2.16.168.124:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8532
svchost.exe
2.23.246.101:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8532
svchost.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.154.139
  • 142.250.154.138
  • 142.250.154.102
  • 142.250.154.113
  • 142.250.154.101
  • 142.250.154.100
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
  • 23.216.77.33
  • 23.216.77.11
  • 23.216.77.32
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 57.153.246.3
  • 48.209.6.48
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.65
  • 40.126.32.140
  • 20.190.160.4
  • 20.190.160.5
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
whitelisted

Threats

PID
Process
Class
Message
8532
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1f2df2ac7dd2cd160f4cf4006168830ac9df2bbecd08ccd24a169a18154eaf01.exe