File name:

47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e

Full analysis: https://app.any.run/tasks/11eec3ef-c5ce-461a-a4ed-a86a1db08b38
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 04:26:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
payload
silverfox
backdoor
loader
auto-reg
valleyrat
winos
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

13A3A9E06440F78E8911045EC5CADEE0

SHA1:

213DEC2BE8945D3130358E5D88F08874BF2B100B

SHA256:

47040B942F874D377548C8743B8A4E443D4F281C29AF2D23D670E0CCF9B6EA2E

SSDEEP:

98304:w9Cr0Sq1+v6TBVnjMcucYd5oolKjudCpeBtbcScJYRzkOvgYhFxfO0v9lXtaxSot:9jw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • 47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exe (PID: 6388)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

    • Executing a file with an untrusted certificate

      • 47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exe (PID: 6388)

    • Connects to the CnC server

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • SILVERFOX has been detected (SURICATA)

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • VALLEYRAT has been detected (YARA)

      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • WINOS has been detected (YARA)

      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exe (PID: 6388)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Connects to unusual port

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Process requests binary or script from the Internet

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Connects to the server without a host name

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Searches for installed software

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Potential Corporate Privacy Violation

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Process drops legitimate windows executable

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • The process drops C-runtime libraries

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Reads the date of Windows installation

      • BpyoMZ.exe (PID: 300)
      • o1KvuM.exe (PID: 736)
      • kcMWh5.exe (PID: 5352)

    • The process verifies whether the antivirus software is installed

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • Reads security settings of Internet Explorer

      • BpyoMZ.exe (PID: 300)
      • o1KvuM.exe (PID: 736)
      • kcMWh5.exe (PID: 5352)

  • INFO

    • Checks supported languages

      • 47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exe (PID: 6388)
      • BpyoMZ.exe (PID: 300)
      • DingTalk.exe (PID: 6040)
      • o1KvuM.exe (PID: 736)
      • DingTalk.exe (PID: 3332)
      • kcMWh5.exe (PID: 5352)
      • DingTalk.exe (PID: 5048)

    • Creates files in the program directory

      • explorer.exe (PID: 5492)
      • DingTalk.exe (PID: 6040)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • explorer.exe (PID: 3100)

    • Checks proxy server information

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)
      • slui.exe (PID: 6372)
      • explorer.exe (PID: 3100)

    • The sample compiled with english language support

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 5492)
      • explorer.exe (PID: 2564)
      • explorer.exe (PID: 1812)

    • Reads the computer name

      • BpyoMZ.exe (PID: 300)
      • DingTalk.exe (PID: 6040)
      • DingTalk.exe (PID: 3332)
      • o1KvuM.exe (PID: 736)
      • kcMWh5.exe (PID: 5352)
      • DingTalk.exe (PID: 5048)

    • Process checks computer location settings

      • BpyoMZ.exe (PID: 300)
      • o1KvuM.exe (PID: 736)
      • kcMWh5.exe (PID: 5352)

    • Reads Environment values

      • DingTalk.exe (PID: 6040)
      • DingTalk.exe (PID: 3332)
      • DingTalk.exe (PID: 5048)

    • Reads the software policy settings

      • slui.exe (PID: 6372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:28 07:06:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 10
CodeSize: 2565632
InitializedDataSize: 1611776
UninitializedDataSize: -
EntryPoint: 0x22173c
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
13
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exe no specs #SILVERFOX explorer.exe bpyomz.exe no specs dingtalk.exe no specs #SILVERFOX explorer.exe slui.exe o1kvum.exe no specs dingtalk.exe no specs #SILVERFOX explorer.exe kcmwh5.exe no specs dingtalk.exe no specs #SILVERFOX explorer.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300C:\ProgramData\x3WNqF\BpyoMZ.exeC:\ProgramData\x3WNqF\BpyoMZ.exeexplorer.exe
User:
admin
Company:
Alibaba Group.
Integrity Level:
MEDIUM
Description:
DingTalk
Exit code:
0
Version:
3.5.6.2
Modules
Images
c:\programdata\x3wnqf\bpyomz.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
736C:\ProgramData\kFBUDX\o1KvuM.exeC:\ProgramData\kFBUDX\o1KvuM.exeexplorer.exe
User:
admin
Company:
Alibaba Group.
Integrity Level:
MEDIUM
Description:
DingTalk
Exit code:
0
Version:
3.5.6.2
Modules
Images
c:\programdata\kfbudx\o1kvum.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1812C:\\Windows\\explorer.exeC:\Windows\explorer.exe
DingTalk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2564C:\\Windows\\explorer.exeC:\Windows\explorer.exe
DingTalk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll
3100C:\\Windows\\explorer.exeC:\Windows\explorer.exe
DingTalk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
3332"C:\ProgramData\kFBUDX\main\current\DingTalk.exe" C:\ProgramData\kFBUDX\main\current\DingTalk.exeo1KvuM.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Tools Core Service
Exit code:
1307
Version:
12.1.0.37487
Modules
Images
c:\programdata\kfbudx\main\current\dingtalk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5048"C:\ProgramData\hQakUK\main\current\DingTalk.exe" C:\ProgramData\hQakUK\main\current\DingTalk.exekcMWh5.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware Tools Core Service
Exit code:
1307
Version:
12.1.0.37487
Modules
Images
c:\programdata\hqakuk\main\current\dingtalk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5352C:\ProgramData\hQakUK\kcMWh5.exeC:\ProgramData\hQakUK\kcMWh5.exeexplorer.exe
User:
admin
Company:
Alibaba Group.
Integrity Level:
MEDIUM
Description:
DingTalk
Exit code:
0
Version:
3.5.6.2
Modules
Images
c:\programdata\hqakuk\kcmwh5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
5492C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
7 630
Read events
7 572
Write events
42
Delete events
16

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010011000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000180000000000000061007500740068006F0072007300730065007000740065006D006200650072002E006A00700067003E002000200000001D0000000000000063006F006D006D0075006E00690063006100740069006F006E0073006600650064006500720061006C002E006A00700067003E00200020000000150000000000000063006F00760065007200630072006500610074006900760065002E006A00700067003E0020002000000017000000000000006400650073006B0074006F00700072006500730070006F006E00730065002E006A00700067003E002000200000001A0000000000000069006E0064007500730074007200790072006500670069007300740065007200650064002E007200740066003E002000200000001500000000000000720065006D0065006D006200650072007200650070006C0079002E007200740066003E0020002000000013000000000000007300650076006500720061006C006E0061006D0065002E007200740066003E0020002000000016000000000000007300680069007000700069006E0067006100750067007500730074002E007200740066003E00200020000000480000000000000034003700300034003000620039003400320066003800370034006400330037003700350034003800630038003700340033006200380061003400650034003400330064003400660032003800310063003200390061006600320064003200330064003600370030006500300063006300660039006200360065006100320065002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001100000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000080401000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
FE54106800000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:delete valueName:BackgroundHistoryPath0
Value:
C:\Windows\web\wallpaper\Windows\img0.jpg
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:delete valueName:BackgroundHistoryPath1
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:delete valueName:BackgroundHistoryPath2
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:delete valueName:BackgroundHistoryPath3
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:delete valueName:BackgroundHistoryPath4
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Operation:writeName:BackgroundHistoryPath0
Value:
C:\Windows\web\wallpaper\Windows\img0.jpg
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\Network
Operation:delete valueName:INSTALLTIME
Value:
Executable files
31
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6040DingTalk.exeC:\Windows\Temp\vmware-vmtoolsd-admin.log
MD5:
SHA256:
6040DingTalk.exeC:\Windows\Temp\vmware-vmsvc-admin.log
MD5:
SHA256:
638847040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e.exeC:\Users\Public\Downloads\bb.jpgbinary
MD5:BD2427C035344F701530C481EA6B0C49
SHA256:A2C4A313604A818526BC3D3424AEF7F664E30DB6C858A7F3B0054A56F4B57F62
5492explorer.exeC:\ProgramData\x3WNqF\main\current\gobject-2.0.dllexecutable
MD5:04F3300D00CA0AB0964DD14C71639D36
SHA256:D701B3F556B370D6C0BE5F37B5028AC8A61169F06D9B4065AEAE23621F122572
5492explorer.exeC:\ProgramData\x3WNqF\BpyoMZ.exeexecutable
MD5:627E4A4FF89ECB9FD9C812A8D86B28C3
SHA256:2BD7CA5EE774736AF3C23D30C400B416D6AC41FC814D6F9F239EB1E7BE599EB3
5492explorer.exeC:\ProgramData\x3WNqF\main\current\pcre.dllexecutable
MD5:04893181E2960F4AAE9971B5A15A056F
SHA256:1BA88E206A9F415D839ED94F8B1633E2559E031FAC1E976B4689BFDD5B8E2749
5492explorer.exeC:\ProgramData\x3WNqF\main\current\gmodule-2.0.dllexecutable
MD5:D541E6AFF57DAB928B8C3CBA7C5EFDF2
SHA256:5E3169122A06885A06ACA3E95B894884165B944FD79EFB5AAF133863E1E7F0F9
5492explorer.exeC:\ProgramData\x3WNqF\main\current\glib-2.0.dllexecutable
MD5:B31B5E53BCDB3058EF6BE7D7563FF338
SHA256:5A61B9BD7AAD0F585BE70EFB3FD1E5CB939610A198335E5A2E2D5AAC661B4C9B
5492explorer.exeC:\ProgramData\x3WNqF\main\current\vmtools.dllexecutable
MD5:BBE654291DACFB41E7374F5D1F5C0946
SHA256:79CF86BA86F95A3A169724E605C900FBB7C6084CC87A547CD1629B1E468AE11B
5492explorer.exeC:\Users\Public\Downloads\QQgames.exeexecutable
MD5:C3AF518D7BB5F7F368FEBCE09C7E57CE
SHA256:8F490791F7164633E2BC3BFE129C829986A45B918566C2FE1D63F3C77B0EB28C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
57
DNS requests
16
Threats
137

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5492
explorer.exe
192.238.129.9:7777
td.ldxwpedf.cn
LEASEWEB-USA-LAX
US
malicious
2384
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2384
SIHClient.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2384
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2384
SIHClient.exe
20.3.187.198:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5492
explorer.exe
8.134.199.119:80
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
  • 172.211.123.249
whitelisted
td.ldxwpedf.cn
  • 192.238.129.9
malicious
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

PID
Process
Class
Message
5492
explorer.exe
A Network Trojan was detected
ET MALWARE Win32/ProcessKiller CnC Initialization M2
5492
explorer.exe
Potentially Bad Traffic
PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
5492
explorer.exe
Potentially Bad Traffic
PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
5492
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
5492
explorer.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
5492
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
5492
explorer.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Encrypted Client Packet
5492
explorer.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
5492
explorer.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
5492
explorer.exe
A Network Trojan was detected
ET MALWARE Suspicious User Agent Detected (RookIE) - Common with Downloaders
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e