Malware analysis 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe Malicious activity

Add for printing

File name:	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe
Full analysis:	https://app.any.run/tasks/1feae871-476c-4736-8b5b-693b7d5cf699
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group. Malware Trends Tracker >>>
Analysis date:	June 28, 2025, 10:14:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	python payload silverfox backdoor loader uac pyinstaller valleyrat winos rat arch-exec advancedinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	39A27D859ECA3100263E76888BFBF34D
SHA1:	3B55F3C40FDD98ADE7E6736852410871F7D18327
SHA256:	6490A19D1B236722F4560E3C59722B16319FF3B4A425897B4C513F6AC8A7524C
SSDEEP:	98304:2C3CpA11ybhbLylu/ZUmTv4O+kzK/7ueSnKHddLO0Aq+a2kY/wUGIjgC/TJLKTnw:DTdw/881mwLNuEmxZVjg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SILVERFOX has been detected (SURICATA)
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 6284)
- Runs injected code in another process
  - msiexec.exe (PID: 888)
- Application was injected by another process
  - explorer.exe (PID: 4772)
- Connects to the CnC server
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Changes the autorun value in the registry
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- VALLEYRAT has been detected
  - colorcpl.exe (PID: 2696)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
  - colorcpl.exe (PID: 2696)
  - explorer.exe (PID: 4772)
- Process drops python dynamic module
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
- Process drops legitimate windows executable
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
- The process drops C-runtime libraries
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
- Application launched itself
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - msiexec.exe (PID: 5008)
- Loads Python modules
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 888)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 5008)
- Contacting a server suspected of hosting an CnC
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- There is functionality for taking screenshot (YARA)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
- Detects AdvancedInstaller (YARA)
  - msiexec.exe (PID: 5008)
- Searches for installed software
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Connects to the server without a host name
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Process requests binary or script from the Internet
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Connects to unusual port
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Potential Corporate Privacy Violation
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- The process verifies whether the antivirus software is installed
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
INFO
- Reads the computer name
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
  - msiexec.exe (PID: 5008)
  - msiexec.exe (PID: 888)
  - msiexec.exe (PID: 2292)
- Create files in a temporary directory
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
- The sample compiled with english language support
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - msiexec.exe (PID: 5008)
- Checks supported languages
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
  - msiexec.exe (PID: 888)
  - msiexec.exe (PID: 2292)
  - msiexec.exe (PID: 5008)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5008)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 5008)
  - msiexec.exe (PID: 888)
- Checks proxy server information
  - msiexec.exe (PID: 888)
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 888)
- Reads the software policy settings
  - msiexec.exe (PID: 888)
- Reads Environment values
  - msiexec.exe (PID: 2292)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- PyInstaller has been detected (YARA)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 2076)
  - 6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe (PID: 3872)
- Creates files in the program directory
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- Launching a file from a Registry key
  - explorer.exe (PID: 4772)
  - colorcpl.exe (PID: 2696)
- The sample compiled with chinese language support
  - colorcpl.exe (PID: 2696)
  - explorer.exe (PID: 4772)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (57.6)
.exe	\|	Win64 Executable (generic) (36.9)
.exe	\|	Generic Win/DOS Executable (2.6)
.exe	\|	DOS Executable Generic (2.6)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:06:23 00:37:42+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	174592
InitializedDataSize:	157184
UninitializedDataSize:	-
EntryPoint:	0xd0d0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

147

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

888

C:\Windows\System32\MsiExec.exe -Embedding AADD53499ED4F03597C797147C0CA20E

C:\Windows\System32\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1984

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2076

"C:\Users\admin\AppData\Local\Temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe"

C:\Users\admin\AppData\Local\Temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2292

C:\Windows\syswow64\MsiExec.exe -Embedding A5AE4739F5DC144D1782E9845679F496

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2696

C:\Windows\System32\colorcpl.exe

ComputerDefaults.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Color Control Panel

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\colorui.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

3584

C:\WINDOWS\system32\winver.exe

C:\Windows\System32\winver.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Version Reporter Applet

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\winver.exe
c:\windows\system32\ntdll.dll

3756

msiexec /i C:\Users\admin\AppData\Local\Temp\tmpmtemjhtt\setup.msi /quiet /norestart

C:\Windows\System32\msiexec.exe

—

6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3872

"C:\Users\admin\AppData\Local\Temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe"

C:\Users\admin\AppData\Local\Temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe

6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

4772

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

5008

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

3 878

Read events

3 816

Write events

Delete events

Modification events


(PID) Process:	(5008) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 90130000A3D6137815E8DB01
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 3250D8D4688BCF562CA42E928CFDDE6300B183D1A9528C559247F5ACF9B7B686
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\175536.rbs
Value: 31189013
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\175536.rbsLow
Value:
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\D70586E5B837E4E4F8B914511DDC9F75
Operation:	write	Name:	C325EE30E79D5A844B73D05B2D9A5B46
Value: C:\Users\admin\AppData\Roaming\Setup\Setup\
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\7A351B9CFFC2F034FA13676A66DA051E
Operation:	write	Name:	C325EE30E79D5A844B73D05B2D9A5B46
Value: 01:\Software\Setup\Setup\Version
(PID) Process:	(5008) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\EDA8B2A7860E42A43ACAF6D60A467759
Operation:	write	Name:	C325EE30E79D5A844B73D05B2D9A5B46
Value: C:\Users\admin\AppData\Roaming\Setup\Setup\gb.dll

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\_bz2.pyd		executable
		MD5:51CA0713F8FD5F142625A44DF7ED7100	SHA256:8768315B1E0E81CCD0D96C3D6A863803F5DD1DE6AF849285C439D61ABD32B647
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\VCRUNTIME140.dll		executable
		MD5:32DA96115C9D783A0769312C0482A62D	SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:BCC620DCC9A3A9DFD38663A971B7044B	SHA256:F73000652CA7CA7468CA6134663C99CBAF7BD97740BDBDD5D1E1E23CCFD5DB75
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:1BEBD9B65ED18B680F7E39BEF09FE6CE	SHA256:E756F6970905657CF73ECB3F57BAE55A67BE29AFA75AE4D16046B0F7229708EB
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:8AD4771E23185CB7672F71EC16C580CF	SHA256:B153FF5D667C8297776F21C5F440CFF28C3E3A5B1F748FD4700306E1FB283ED8
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:A538B281F8E84CECDAC507C73A43D744	SHA256:45AFAF08D1CD7E43AC5DED47ED5FD708B86E835A9470C81E8130ED6955B84DB8
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-libraryloader-l1-1-0.dll		executable
		MD5:2A2E22F35B83AAB6DB3D7B27C5AF1953	SHA256:425E4EBEE71347295E36776D415611D451E2A51B451DF57DA23ED8F8FB4664E8
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-heap-l1-1-0.dll		executable
		MD5:CDD1EF7807185EEEE2D5AC3BAE51BDD5	SHA256:6D14B49E8E21DE08B9FA778F15C259DBD4FEB9B54EB628D69BD50E5C86AA65A5
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:517B80A416198DCFC9A1572625819506	SHA256:2783B85D98F4A92FAF67A94FC04E9C2F6786627949984828D14DEAB1682BBE3F
2076	6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe	C:\Users\admin\AppData\Local\Temp\_MEI20762\api-ms-win-core-fibers-l1-1-0.dll		executable
		MD5:824A1932C5C58891152AE1DE02EEF652	SHA256:3082B0E09DFAC27233B6DF097EE0C9A45D395ADEADC0026B157106424EA98389

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
888	msiexec.exe	GET	200	104.18.20.226:80	http://ocsp2.globalsign.com/rootr3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEQCB5auY5G81uRwv%2BheHGMha	unknown	—	—	whitelisted
888	msiexec.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D	unknown	—	—	whitelisted
888	msiexec.exe	GET	200	104.18.20.226:80	http://ocsp.globalsign.com/gsgccr3ovtlsca2024/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBT%2BeHEVW1om2JjNh%2BetTEbfp%2BiVWQQU2tOoCEgMNDdY7uWndS5Z%2FNbcPDgCDGqKmk54oRJv16NLcw%3D%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2552	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4772	explorer.exe	GET	200	8.134.199.119:80	http://8.134.199.119/dll.txt	unknown	—	—	malicious
4772	explorer.exe	GET	200	8.134.199.119:80	http://8.134.199.119/regname.txt	unknown	—	—	malicious
4772	explorer.exe	GET	200	8.134.199.119:80	http://8.134.199.119/wj/yjwjhr.zip	unknown	—	—	malicious
4772	explorer.exe	GET	200	8.134.199.119:80	http://8.134.199.119/wj/yjwj.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1520	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
888	msiexec.exe	8.138.53.61:443	gbcode.oss-cn-guangzhou.aliyuncs.com	—	SG	unknown
888	msiexec.exe	104.18.20.226:80	ocsp.globalsign.com	CLOUDFLARENET	—	whitelisted
4772	explorer.exe	47.238.152.36:7777	gb.epkogtzxs.cn	—	US	malicious
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.142	whitelisted
gbcode.oss-cn-guangzhou.aliyuncs.com	8.138.53.61	unknown
ocsp.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
ocsp2.globalsign.com	104.18.20.226 104.18.21.226	whitelisted
gb.epkogtzxs.cn	47.238.152.36	unknown
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
login.live.com	40.126.32.138 20.190.160.22 40.126.32.140 20.190.160.132 40.126.32.136 20.190.160.66 20.190.160.65 20.190.160.131	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted

Threats

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
888	msiexec.exe	Misc activity	ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
4772	explorer.exe	A Network Trojan was detected	ET MALWARE Win32/ProcessKiller CnC Initialization M2
4772	explorer.exe	Potentially Bad Traffic	PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
4772	explorer.exe	Potentially Bad Traffic	PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4772	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE Winos4.0 Framework CnC Login Message
4772	explorer.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
4772	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
4772	explorer.exe	Malware Command and Control Activity Detected	BACKDOOR [ANY.RUN] SilverFox Encrypted Client Packet

Add for printing

No debug info

General Info

6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c.exe

39A27D859ECA3100263E76888BFBF34D

3B55F3C40FDD98ADE7E6736852410871F7D18327

6490A19D1B236722F4560E3C59722B16319FF3B4A425897B4C513F6AC8A7524C

98304:2C3CpA11ybhbLylu/ZUmTv4O+kzK/7ueSnKHddLO0Aq+a2kY/wUGIjgC/TJLKTnw:DTdw/881mwLNuEmxZVjg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SILVERFOX has been detected (SURICATA)

Bypass User Account Control (ComputerDefaults)

Runs injected code in another process

Application was injected by another process

Connects to the CnC server

Changes the autorun value in the registry

VALLEYRAT has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops python dynamic module

Process drops legitimate windows executable

The process drops C-runtime libraries

Application launched itself

Loads Python modules

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Contacting a server suspected of hosting an CnC

There is functionality for taking screenshot (YARA)

Detects AdvancedInstaller (YARA)

Searches for installed software

Connects to the server without a host name

Process requests binary or script from the Internet

Connects to unusual port

Potential Corporate Privacy Violation

The process verifies whether the antivirus software is installed

INFO

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Checks supported languages

Executable content was dropped or overwritten

Creates files or folders in the user directory

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Reads Environment values

Reads security settings of Internet Explorer

PyInstaller has been detected (YARA)

Creates files in the program directory

Launching a file from a Registry key

The sample compiled with chinese language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information