File name:

2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe

Full analysis: https://app.any.run/tasks/8167b43d-4e2f-4c01-bb80-416ea8d664b1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 17, 2026, 06:16:08
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
payload
snowlight
dropper
websocket
vshell
rat
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:

A58541C14575DE767F79F89078AAD137

SHA1:

1FDC7B096EBEC1FB01C9A82B5AFF3C92DB397046

SHA256:

2D45E68676A7A14A1F9D991FCE14F177900EDA266626C5C7FB1C3EFD8C3DB0E9

SSDEEP:

384:hcKcIMo49O8iGO+9m72S2fChlpsJ1vWFDWg8E:5pu9OcO+9m72w3Ndp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SNOWLIGHT has been detected (SURICATA)

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • VSHELL has been detected (SURICATA)

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

  • INFO

    • Reads the computer name

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • The sample compiled with english language support

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • Checks supported languages

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • Detects GO elliptic curve encryption (YARA)

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • There is functionality for taking screenshot (YARA)

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)

    • Application based on Golang

      • 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe (PID: 2760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2026:04:14 06:37:12+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.39
CodeSize: 9216
InitializedDataSize: 21504
UninitializedDataSize: 512
EntryPoint: 0x13f0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows Update Service
FileVersion: 10.0.19041.1
InternalName: wusvc.exe
LegalCopyright: ?Microsoft Corporation. All rights reserved.
OriginalFileName: wusvc.exe
ProductName: Microsoft Windows Operating System
ProductVersion: 10.0.19041.1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #VSHELL 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe conhost.exe no specs 2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1624"C:\Users\admin\Downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe" C:\Users\admin\Downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Service
Exit code:
3221226540
Version:
10.0.19041.1
Modules
Images
c:\users\admin\downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
c:\windows\system32\ntdll.dll
2760"C:\Users\admin\Downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe" C:\Users\admin\Downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Service
Version:
10.0.19041.1
Modules
Images
c:\users\admin\downloads\2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3360\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
214
Read events
214
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
16
DNS requests
9
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6924
svchost.exe
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
US
whitelisted
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
GET
200
38.60.253.35:8084
http://38.60.253.35:8084/?a=w64&h=38.60.253.35&t=ws_&p=8084
HK
binary
4.92 Mb
malicious
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
GET
101
38.60.253.35:8084
http://38.60.253.35:8084/
HK
malicious
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
GET
101
38.60.253.35:8084
http://38.60.253.35:8084/
HK
malicious
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
GET
101
38.60.253.35:8084
http://38.60.253.35:8084/
HK
malicious
6856
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6e1c9025b5d47cc7
US
unknown
6856
svchost.exe
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
6856
svchost.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
3248
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9cdd51de29b2e5d0
US
compressed
71.5 Kb
unknown
3248
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?13493b395631d4e5
US
compressed
71.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1380
svchost.exe
23.55.161.155:80
AKAMAI-ASN1
NL
whitelisted
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
38.60.253.35:8084
KAOPU-HK Kaopu Cloud HK Limited
HK
malicious
6856
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6856
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
6856
svchost.exe
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
3248
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1380
svchost.exe
23.55.161.164:80
AKAMAI-ASN1
NL
whitelisted
3876
svchost.exe
239.255.255.250:1900
whitelisted
6924
svchost.exe
23.197.142.186:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
3248
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.251.127.100
  • 142.251.127.101
  • 142.251.127.102
  • 142.251.127.113
  • 142.251.127.139
  • 142.251.127.138
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.3
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.64
  • 20.190.160.14
  • 40.126.32.136
  • 40.126.32.68
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted

Threats

PID
Process
Class
Message
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Potentially Bad Traffic
PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
A Network Trojan was detected
ET MALWARE SNOWLIGHT C2 HTTP Requests
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] VShell RAT CnC connection established
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] VShell RAT CnC connection established
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] VShell RAT CnC connection established
2760
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe
Misc activity
HUNTING [ANY.RUN] TCP binary protocol 32-LE data-len prefix on non-standard port inbound
1380
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2d45e68676a7a14a1f9d991fce14f177900eda266626c5c7fb1c3efd8c3db0e9.exe