Malware analysis OneDriveSetup.exe Malicious activity

Add for printing

File name:	OneDriveSetup.exe
Full analysis:	https://app.any.run/tasks/b79d9368-d4ba-4e83-8d72-d4b527f5159d
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group. Malware Trends Tracker >>>
Analysis date:	April 13, 2025, 15:42:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	silverfox backdoor valleyrat winos rat websocket
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	A660CAAF7011A3AD1C057F43D481A4D9
SHA1:	EC04C2059E2AE95204A168238A786A97B27ACD12
SHA256:	2D5D5D3B215EFB94E74AA3F719E35F75D41F52B725BC06EA89EE8C5D1910570B
SSDEEP:	786432:82fCy0mcfj0zwiOjnYwS4Ni5KZuIj88hO0lPyg9umUUy:82fCyFcfj0/OjLSgi5KZum8EO079umo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- UAC/LUA settings modification
  - reg.exe (PID: 5552)
- SILVERFOX has been detected (SURICATA)
  - Agghosts.exe (PID: 5112)
- Connects to the CnC server
  - Agghosts.exe (PID: 5112)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 7048)
- Changes the autorun value in the registry
  - reg.exe (PID: 5256)
  - LetsPRO.exe (PID: 4572)
- VALLEYRAT has been detected
  - Agghosts.exe (PID: 5112)
- WINOS has been detected (YARA)
  - Agghosts.exe (PID: 5112)
- VALLEYRAT has been detected (YARA)
  - Agghosts.exe (PID: 5112)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 5512)
- Changes powershell execution policy (Bypass)
  - bin.exe (PID: 6752)
SUSPICIOUS
- Reads the date of Windows installation
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
- Process drops legitimate windows executable
  - OneDriveSetup.exe (PID: 1020)
  - bin.exe (PID: 6752)
- Reads security settings of Internet Explorer
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
  - ShellExperienceHost.exe (PID: 5756)
  - tapinstall.exe (PID: 4892)
  - LetsPRO.exe (PID: 4572)
- Starts a Microsoft application from unusual location
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
- Application launched itself
  - OneDriveSetup.exe (PID: 1020)
- Executable content was dropped or overwritten
  - OneDriveSetup.exe (PID: 5892)
  - powershell.exe (PID: 7048)
  - bin.exe (PID: 6752)
  - drvinst.exe (PID: 6944)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 2416)
- Reads Microsoft Outlook installation path
  - HelpPane.exe (PID: 4208)
- Probably download files using WebClient
  - cmd.exe (PID: 5504)
- Starts CMD.EXE for commands execution
  - OneDriveSetup.exe (PID: 5892)
  - bin.exe (PID: 6752)
  - LetsPRO.exe (PID: 4572)
- Executing commands from a ".bat" file
  - OneDriveSetup.exe (PID: 5892)
- Likely accesses (executes) a file from the Public directory
  - cmd.exe (PID: 5504)
  - cmd.exe (PID: 5608)
  - powershell.exe (PID: 7048)
  - Agghosts.exe (PID: 5112)
  - bin.exe (PID: 6752)
- Starts application with an unusual extension
  - cmd.exe (PID: 5504)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5608)
  - OneDriveSetup.exe (PID: 5892)
- Connects to unusual port
  - Agghosts.exe (PID: 5112)
- Contacting a server suspected of hosting an CnC
  - Agghosts.exe (PID: 5112)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5504)
  - bin.exe (PID: 6752)
- The process creates files with name similar to system file names
  - bin.exe (PID: 6752)
- Malware-specific behavior (creating "System.dll" in Temp)
  - bin.exe (PID: 6752)
- There is functionality for taking screenshot (YARA)
  - Agghosts.exe (PID: 5112)
  - bin.exe (PID: 6752)
- Drops a system driver (possible attempt to evade defenses)
  - bin.exe (PID: 6752)
  - drvinst.exe (PID: 6944)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 2416)
- The process executes Powershell scripts
  - bin.exe (PID: 6752)
- Creates files in the driver directory
  - drvinst.exe (PID: 6944)
  - drvinst.exe (PID: 2416)
- Creates or modifies Windows services
  - drvinst.exe (PID: 2416)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 928)
  - cmd.exe (PID: 2852)
  - cmd.exe (PID: 5452)
  - cmd.exe (PID: 2772)
  - cmd.exe (PID: 5552)
- Creates a software uninstall entry
  - bin.exe (PID: 6752)
- Process uses IPCONFIG to discover network configuration
  - cmd.exe (PID: 4696)
- Executes as Windows Service
  - WmiApSrv.exe (PID: 7640)
- Adds/modifies Windows certificates
  - LetsPRO.exe (PID: 4572)
- The process checks if it is being run in the virtual environment
  - LetsPRO.exe (PID: 4572)
- Suspicious use of NETSH.EXE
  - LetsPRO.exe (PID: 4572)
- Process uses ARP to discover network configuration
  - cmd.exe (PID: 7460)
- Uses ROUTE.EXE to obtain the routing table information
  - cmd.exe (PID: 7340)
INFO
- Reads the computer name
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
  - ShellExperienceHost.exe (PID: 5756)
  - Agghosts.exe (PID: 5112)
  - bin.exe (PID: 6752)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 6944)
  - drvinst.exe (PID: 2416)
  - LetsPRO.exe (PID: 3332)
  - LetsPRO.exe (PID: 4572)
- The sample compiled with english language support
  - OneDriveSetup.exe (PID: 1020)
  - powershell.exe (PID: 7048)
  - bin.exe (PID: 6752)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 6944)
  - drvinst.exe (PID: 2416)
- Checks supported languages
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
  - chcp.com (PID: 6744)
  - Agghosts.exe (PID: 5112)
  - ShellExperienceHost.exe (PID: 5756)
  - bin.exe (PID: 6752)
  - tapinstall.exe (PID: 5680)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 6944)
  - tapinstall.exe (PID: 5800)
  - drvinst.exe (PID: 2416)
  - LetsPRO.exe (PID: 5324)
  - LetsPRO.exe (PID: 3332)
  - LetsPRO.exe (PID: 2332)
  - LetsPRO.exe (PID: 4572)
- Process checks computer location settings
  - OneDriveSetup.exe (PID: 1020)
  - OneDriveSetup.exe (PID: 5892)
- Reads the machine GUID from the registry
  - OneDriveSetup.exe (PID: 5892)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 6944)
  - LetsPRO.exe (PID: 3332)
  - LetsPRO.exe (PID: 4572)
- Checks proxy server information
  - OneDriveSetup.exe (PID: 5892)
  - HelpPane.exe (PID: 4208)
  - powershell.exe (PID: 7048)
  - LetsPRO.exe (PID: 4572)
  - slui.exe (PID: 2064)
- Reads the software policy settings
  - OneDriveSetup.exe (PID: 5892)
  - tapinstall.exe (PID: 4892)
  - drvinst.exe (PID: 6944)
  - LetsPRO.exe (PID: 4572)
  - slui.exe (PID: 2064)
- Creates files in the program directory
  - OneDriveSetup.exe (PID: 5892)
  - bin.exe (PID: 6752)
  - LetsPRO.exe (PID: 4572)
  - LetsPRO.exe (PID: 3332)
- Creates files or folders in the user directory
  - OneDriveSetup.exe (PID: 5892)
  - bin.exe (PID: 6752)
  - LetsPRO.exe (PID: 4572)
- The sample compiled with chinese language support
  - OneDriveSetup.exe (PID: 5892)
- Reads security settings of Internet Explorer
  - HelpPane.exe (PID: 4208)
- Changes the display of characters in the console
  - cmd.exe (PID: 5504)
- Disables trace logs
  - powershell.exe (PID: 7048)
  - LetsPRO.exe (PID: 4572)
  - netsh.exe (PID: 7748)
- Reads Environment values
  - Agghosts.exe (PID: 5112)
- Reads product name
  - Agghosts.exe (PID: 5112)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5512)
- Create files in a temporary directory
  - bin.exe (PID: 6752)
  - tapinstall.exe (PID: 4892)
  - LetsPRO.exe (PID: 4572)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5512)
  - LetsPRO.exe (PID: 4572)
- Reads Windows Product ID
  - LetsPRO.exe (PID: 4572)
- Reads the time zone
  - LetsPRO.exe (PID: 4572)
- Reads CPU info
  - LetsPRO.exe (PID: 4572)
- Prints a route via ROUTE.EXE
  - ROUTE.EXE (PID: 7404)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2009:12:05 07:29:41+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.33
CodeSize:	3451904
InitializedDataSize:	80162816
UninitializedDataSize:	-
EntryPoint:	0x1eca60
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	25.5.112.3
ProductVersionNumber:	25.5.112.3
FileFlagsMask:	0x003f
FileFlags:	Special build
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft OneDrive (64 bit) Setup
InternalName:	OneDriveSetup.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	OneDriveSetup.exe
ProductName:	Microsoft OneDrive
FileVersion:	25.005.0112.0003
ProductVersion:	25.005.0112.0003
SpecialBuild:	b/build/5b5eba1c-4d84-82ed-887a-8783299e9892

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

195

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

616

netsh advfirewall firewall Delete rule name=lets.exe

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

632

ipconfig /all

C:\Windows\SysWOW64\ipconfig.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

IP Configuration Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

928

cmd /c netsh advfirewall firewall Delete rule name=LetsPRO

C:\Windows\SysWOW64\cmd.exe

—

bin.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1004

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

tapinstall.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1020

"C:\Users\admin\AppData\Local\Temp\OneDriveSetup.exe"

C:\Users\admin\AppData\Local\Temp\OneDriveSetup.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft OneDrive (64 bit) Setup

Exit code:

Version:

25.005.0112.0003

Modules

Images
c:\users\admin\appdata\local\temp\onedrivesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\wer.dll

1128

netsh advfirewall firewall Delete rule name=lets

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

1300

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1388

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1616

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2064

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

69 693

Read events

69 480

Write events

186

Delete events

Modification events


(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	IsConnected
Value: 0
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 9BDBFB6700000000
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	UseLanguageAlternative
Value: 0
(PID) Process:	(5552) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(5892) OneDriveSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	PositionX
Value: 640
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	PositionY
Value: 0
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	Width
Value: 640
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings
Operation:	write	Name:	Height
Value: 680
(PID) Process:	(4208) HelpPane.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:

Add for printing

Executable files

230

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5892	OneDriveSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B		binary
		MD5:7B8C6FC98CBEB9663B727D8F72B27B10	SHA256:403D719A6BCB73D41B79913EE21EF552D03E29BBF83C1FC997546D4C90011145
5892	OneDriveSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_B61787FC97076953648C0EB49701A470		binary
		MD5:6DCE4A317D57771C95AA2AFB0BF338BB	SHA256:467C414CB3A9FBD92B6B9E1CA0FE7027240C1680E2496AC1B5D5AD88DB89A01D
5892	OneDriveSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3		binary
		MD5:C21B7AA445CCB9839C7D11AD12979625	SHA256:6B8EAF3ECF01A7ADF066AF6E8B7E2603351AAB8BB5A090D074F1DA5E9F0AB9A6
5892	OneDriveSetup.exe	C:\Users\Public\Downloads\20250413044316\fhq.bat		text
		MD5:3A7CB580BD340505F6DC5B4C829A3ECA	SHA256:1C1528B546AA29BE6614707CBE408CB4B46E8ED05BF3FE6B388B9F22A4EE37E2
5892	OneDriveSetup.exe	C:\Users\Public\Downloads\20250413044316\hjk.txt		binary
		MD5:DC2546FBFF3AEC1245F9A4D611C9F759	SHA256:B7C8D25259BFC25B43427D31C25603037C039BBF9E76116D52759BA681499C3A
5892	OneDriveSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B		binary
		MD5:86F6A12F8669FCB796D0AD462623568A	SHA256:CBA00746A915DCA277D84B06F12F4123EFC2B90BB273599EE240D16DD24B0C5F
5892	OneDriveSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_B61787FC97076953648C0EB49701A470		binary
		MD5:805DDFB7481D570E1213AB90BED3C34D	SHA256:A0C5AAEE3AF453B5E8B5736A1275B106C865FEFBE72BE8B6F6F6C647531E6C14
5892	OneDriveSetup.exe	C:\Users\Public\Downloads\20250413044316\1.bat		text
		MD5:FA42EBB1071ABC0E618C296EA2CF71A6	SHA256:395F835731D25803A791DB984062DD5CFDCADE6F95CC5D0F68D359AF32F6258D
7048	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ytk5reja.icc.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5892	OneDriveSetup.exe	C:\Users\Public\Music\20250413044316\libcef.dll		executable
		MD5:E94D0F5AB6FBC8C23E108752C9C34A7C	SHA256:60CFD485B51E6F6030CB79F795E044CD7CA11BC50454C27A6AD984F4A70C56EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5892	OneDriveSetup.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D	unknown	—	—	whitelisted
5892	OneDriveSetup.exe	GET	200	104.18.20.226:80	http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D	unknown	—	—	whitelisted
5892	OneDriveSetup.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDGwX%2B2JpjBdn5c2tPQ%3D%3D	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5892	OneDriveSetup.exe	GET	—	103.235.46.115:80	http://www.baidu.com/	unknown	—	—	whitelisted
4164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4572	LetsPRO.exe	GET	101	3.1.28.160:80	http://ws-ap1.pusher.com/app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2	unknown	—	—	whitelisted
4572	LetsPRO.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5892	OneDriveSetup.exe	43.132.105.214:443	aa-1348336590.cos.ap-hongkong.myqcloud.com	Tencent Building, Kejizhongyi Avenue	HK	whitelisted
5892	OneDriveSetup.exe	104.18.20.226:80	ocsp.globalsign.com	CLOUDFLARENET	—	whitelisted
6544	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.186.142	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
aa-1348336590.cos.ap-hongkong.myqcloud.com	43.132.105.214	whitelisted
ocsp.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
ocsp2.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
login.live.com	20.190.159.75 40.126.31.131 40.126.31.129 20.190.159.129 20.190.159.71 40.126.31.128 20.190.159.128 20.190.159.131 20.190.160.131 40.126.32.133 40.126.32.76 40.126.32.134 20.190.160.5 20.190.160.64 20.190.160.20 40.126.32.74	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
www.baidu.com	103.235.46.115 103.235.46.102	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
5892	OneDriveSetup.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
5112	Agghosts.exe	Malware Command and Control Activity Detected	ET MALWARE Winos4.0 Framework CnC Login Message
5112	Agghosts.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
5112	Agghosts.exe	Malware Command and Control Activity Detected	ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
5112	Agghosts.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox Encrypted Client Packet
7048	powershell.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
5112	Agghosts.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
5112	Agghosts.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
5112	Agghosts.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet

Add for printing

No debug info

General Info

OneDriveSetup.exe

A660CAAF7011A3AD1C057F43D481A4D9

EC04C2059E2AE95204A168238A786A97B27ACD12

2D5D5D3B215EFB94E74AA3F719E35F75D41F52B725BC06EA89EE8C5D1910570B

786432:82fCy0mcfj0zwiOjnYwS4Ni5KZuIj88hO0lPyg9umUUy:82fCyFcfj0/OjLSgi5KZum8EO079umo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

UAC/LUA settings modification

SILVERFOX has been detected (SURICATA)

Connects to the CnC server

Script downloads file (POWERSHELL)

Changes the autorun value in the registry

VALLEYRAT has been detected

WINOS has been detected (YARA)

VALLEYRAT has been detected (YARA)

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Reads the date of Windows installation

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Starts a Microsoft application from unusual location

Application launched itself

Executable content was dropped or overwritten

Reads Microsoft Outlook installation path

Probably download files using WebClient

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Likely accesses (executes) a file from the Public directory

Starts application with an unusual extension

Uses REG/REGEDIT.EXE to modify registry

Connects to unusual port

Contacting a server suspected of hosting an CnC

Starts POWERSHELL.EXE for commands execution

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

There is functionality for taking screenshot (YARA)

Drops a system driver (possible attempt to evade defenses)

The process executes Powershell scripts

Creates files in the driver directory

Creates or modifies Windows services

Uses NETSH.EXE to delete a firewall rule or allowed programs

Creates a software uninstall entry

Process uses IPCONFIG to discover network configuration

Executes as Windows Service

Adds/modifies Windows certificates

The process checks if it is being run in the virtual environment

Suspicious use of NETSH.EXE

Process uses ARP to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

INFO

Reads the computer name

The sample compiled with english language support

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Creates files in the program directory

Creates files or folders in the user directory

The sample compiled with chinese language support

Reads security settings of Internet Explorer

Changes the display of characters in the console

Disables trace logs

Reads Environment values

Reads product name

Script raised an exception (POWERSHELL)

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Reads Windows Product ID

Reads the time zone

Reads CPU info

Prints a route via ROUTE.EXE

Malware configuration

Static information