File name:

86CB5F74AF900C505A558DD1C9018BC4.exe

Full analysis: https://app.any.run/tasks/1554a9bb-b2fe-40e1-96dc-edba0a76a25c
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: July 26, 2025, 00:50:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
backdoor
silverfox
valleyrat
winos
rat
qrcode
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

86CB5F74AF900C505A558DD1C9018BC4

SHA1:

B3398C70A2FC85FC80158C27AB30AC645E3BF4BF

SHA256:

F1BDE45AC4A34B8EC885FB5FB07F5E47F89F97B257CC38A1EB37FC0C308C4A04

SSDEEP:

393216:I3HVEhHibNch9XZPi9J5TieN6m1O41mtbSHNJWFCu:uIXZPlO1mtENJeD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 9160)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 8592)
      • powershell.exe (PID: 8948)
      • powershell.exe (PID: 6648)
      • powershell.exe (PID: 9212)

    • VALLEYRAT has been detected

      • NtHandleCallback.exe (PID: 7044)

    • Connects to the CnC server

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • SILVERFOX has been detected (SURICATA)

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 6648)

    • Changes Windows Defender settings

      • NtHandleCallback.exe (PID: 7044)

    • Changes powershell execution policy (Bypass)

      • NtHandleCallback.exe (PID: 7044)

    • Adds path to the Windows Defender exclusion list

      • NtHandleCallback.exe (PID: 7044)

    • WINOS has been detected (YARA)

      • tracerpt.exe (PID: 888)

    • VALLEYRAT has been detected (YARA)

      • NtHandleCallback.exe (PID: 7044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • unzip.exe (PID: 3108)
      • men.exe (PID: 5628)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6504)
      • NtHandleCallback.exe (PID: 7044)
      • NVIDIA.exe (PID: 188)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • setup.exe (PID: 7852)
      • updater.exe (PID: 8464)
      • updater.exe (PID: 7468)

    • Reads security settings of Internet Explorer

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • updater.exe (PID: 6504)

    • Reads the Windows owner or organization settings

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)

    • Likely accesses (executes) a file from the Public directory

      • setup.exe (PID: 472)
      • men.exe (PID: 5628)
      • unzip.exe (PID: 3108)
      • NtHandleCallback.exe (PID: 7044)
      • NVIDIA.exe (PID: 188)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 2668)
      • main.exe (PID: 7864)
      • main.exe (PID: 7872)
      • sc.exe (PID: 7936)
      • cmd.exe (PID: 2972)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 6648)

    • Creates file in the systems drive root

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • NtHandleCallback.exe (PID: 7044)

    • Application launched itself

      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • setup.exe (PID: 7852)
      • setup.exe (PID: 7600)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8464)

    • Executes as Windows Service

      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • updater.exe (PID: 7468)

    • Drops a system driver (possible attempt to evade defenses)

      • men.exe (PID: 5628)
      • NtHandleCallback.exe (PID: 7044)

    • Drops 7-zip archiver for unpacking

      • men.exe (PID: 5628)

    • Starts POWERSHELL.EXE for commands execution

      • NtHandleCallback.exe (PID: 7044)
      • men.exe (PID: 5628)

    • Connects to unusual port

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • The process bypasses the loading of PowerShell profile settings

      • NtHandleCallback.exe (PID: 7044)

    • Query Microsoft Defender preferences

      • NtHandleCallback.exe (PID: 7044)

    • Creates or modifies Windows services

      • NVIDIA.exe (PID: 188)

    • Contacting a server suspected of hosting an CnC

      • NtHandleCallback.exe (PID: 7044)
      • tracerpt.exe (PID: 888)

    • Script adds exclusion path to Windows Defender

      • NtHandleCallback.exe (PID: 7044)

    • Stops a currently running service

      • sc.exe (PID: 7892)

    • Hides command output

      • cmd.exe (PID: 7788)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7788)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7788)

    • Starts SC.EXE for service management

      • men.exe (PID: 5628)

    • Creates a new Windows service

      • sc.exe (PID: 7936)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7848)

    • Starts CMD.EXE for commands execution

      • men.exe (PID: 5628)

    • The process deletes folder without confirmation

      • men.exe (PID: 5628)

    • Executing commands from a ".bat" file

      • men.exe (PID: 5628)

    • There is functionality for taking screenshot (YARA)

      • tracerpt.exe (PID: 888)

  • INFO

    • Checks supported languages

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • setup.exe (PID: 472)
      • updater.exe (PID: 6504)
      • unzip.exe (PID: 3108)
      • men.exe (PID: 5628)
      • updater.exe (PID: 1180)
      • updater.exe (PID: 1160)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 3740)
      • updater.exe (PID: 6648)
      • NtHandleCallback.exe (PID: 7044)
      • NVIDIA.exe (PID: 188)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • main.exe (PID: 7864)
      • main.exe (PID: 7872)

    • Create files in a temporary directory

      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 6720)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • setup.exe (PID: 472)
      • updater.exe (PID: 6504)
      • NVIDIA.exe (PID: 188)

    • Reads the computer name

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)
      • 86CB5F74AF900C505A558DD1C9018BC4.exe (PID: 4104)
      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • setup.exe (PID: 472)
      • unzip.exe (PID: 3108)
      • updater.exe (PID: 6504)
      • men.exe (PID: 5628)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • NtHandleCallback.exe (PID: 7044)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)

    • Process checks computer location settings

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6264)

    • The sample compiled with english language support

      • 86CB5F74AF900C505A558DD1C9018BC4.tmp (PID: 6704)
      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • men.exe (PID: 5628)
      • 138.0.7204.169_chrome_installer_uncompressed.exe (PID: 4400)
      • setup.exe (PID: 7852)
      • updater.exe (PID: 8464)
      • updater.exe (PID: 7468)

    • Creates files in the program directory

      • updater.exe (PID: 6504)
      • updater.exe (PID: 1180)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)
      • setup.exe (PID: 7852)
      • setup.exe (PID: 7600)
      • updater.exe (PID: 7468)
      • updater.exe (PID: 8464)
      • updater.exe (PID: 8516)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6504)
      • updater.exe (PID: 2508)
      • updater.exe (PID: 6648)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • men.exe (PID: 5628)

    • Checks proxy server information

      • updater.exe (PID: 6504)

    • Reads the software policy settings

      • updater.exe (PID: 6648)
      • updater.exe (PID: 6504)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 6504)

    • Creates files or folders in the user directory

      • updater.exe (PID: 6504)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 9160)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 8592)
      • powershell.exe (PID: 8948)
      • powershell.exe (PID: 6288)

    • The sample compiled with chinese language support

      • NVIDIA.exe (PID: 188)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 7292)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7968)
      • powershell.exe (PID: 8044)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7228)
      • powershell.exe (PID: 7424)
      • powershell.exe (PID: 4912)
      • powershell.exe (PID: 2668)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 6312)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 7876)
      • powershell.exe (PID: 4456)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 2996)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 2324)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 6684)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 8040)
      • powershell.exe (PID: 8276)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 9040)
      • powershell.exe (PID: 8688)
      • powershell.exe (PID: 8372)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 9092)
      • powershell.exe (PID: 7848)
      • powershell.exe (PID: 9152)
      • powershell.exe (PID: 3840)
      • powershell.exe (PID: 8228)
      • powershell.exe (PID: 8624)
      • powershell.exe (PID: 5476)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 5288)
      • powershell.exe (PID: 8528)
      • powershell.exe (PID: 6544)
      • powershell.exe (PID: 9160)
      • powershell.exe (PID: 6288)
      • powershell.exe (PID: 8948)
      • powershell.exe (PID: 8592)

    • VMProtect protector has been detected

      • men.exe (PID: 5628)

    • Manual execution by a user

      • chrome.exe (PID: 2212)
      • msedge.exe (PID: 3704)
      • msedge.exe (PID: 9096)

    • Application launched itself

      • chrome.exe (PID: 2212)
      • msedge.exe (PID: 3704)

    • Executes as Windows Service

      • elevation_service.exe (PID: 5172)

    • Connects to unusual port

      • chrome.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:10 14:35:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 704512
InitializedDataSize: 230400
UninitializedDataSize: -
EntryPoint: 0xacfe0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 70.0.3538.110
ProductVersionNumber: 70.0.3538.110
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: X Setup
FileVersion: 70.0.3538.110
LegalCopyright:
OriginalFileName:
ProductName: X
ProductVersion: 70.0.3538.110
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
354
Monitored processes
214
Malicious processes
7
Suspicious processes
20

Behavior graph

Click at the process to see the details
start 86cb5f74af900c505a558dd1c9018bc4.exe 86cb5f74af900c505a558dd1c9018bc4.tmp no specs 86cb5f74af900c505a558dd1c9018bc4.exe 86cb5f74af900c505a558dd1c9018bc4.tmp setup.exe no specs unzip.exe conhost.exe no specs updater.exe updater.exe no specs men.exe updater.exe updater.exe no specs updater.exe updater.exe no specs #SILVERFOX nthandlecallback.exe powershell.exe no specs conhost.exe no specs #SILVERFOX tracerpt.exe conhost.exe no specs nvidia.exe svchost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs 138.0.7204.169_chrome_installer_uncompressed.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs setup.exe main.exe no specs main.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs takeown.exe no specs setup.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs slui.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe updater.exe updater.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs updatersetup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs updater.exe powershell.exe no specs updater.exe no specs conhost.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs conhost.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188C:\Users\Public\Documents\WindowsData\NVIDIA.exeC:\Users\Public\Documents\WindowsData\NVIDIA.exe
NtHandleCallback.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\public\documents\windowsdata\nvidia.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
320"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "if ((Get-MpPreference).ExclusionPath -notcontains 'C:\\Users\\Public\\Documents') { Add-MpPreference -ExclusionPath 'C:\\Users\\Public\\Documents' }"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeNtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --force-high-res-timeticks=disabled --field-trial-handle=1956,i,13606244526344788668,10843493448230002564,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
138.0.7204.169
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\138.0.7204.169\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
472"C:\Users\Public\Documents\setup.exe"C:\Users\Public\Documents\setup.exe86CB5F74AF900C505A558DD1C9018BC4.tmp
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer (x86)
Exit code:
0
Version:
140.0.7272.0
Modules
Images
c:\users\public\documents\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
768powershell -Command "$regPath = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindowsPowerShell.WbemScripting.SWbemLocator'; $acl = (Get-Item -Path $regPath).GetAccessControl(); $acl.SetAccessRuleProtection($true,$false); $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_); }; $sidSystem = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-18'); $sidAdmins = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-544'); $sidEveryone = New-Object System.Security.Principal.SecurityIdentifier('S-1-1-0'); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidSystem,'FullControl','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidAdmins,'ReadKey','Allow'))); $acl.AddAccessRule((New-Object System.Security.AccessControl.RegistryAccessRule($sidEveryone,'Delete','Deny'))); (Get-Item -Path $regPath).SetAccessControl($acl); Disable-ScheduledTask -TaskName 'WindowsPowerShell.WbemScripting.SWbemLocator' >$null; Write-Host '¼Æ»®ÈÎÎñ±£»¤Òѳɹ¦Ó¦ÓÃÇÒ²»¿Éɾ³ý' -ForegroundColor Green;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
868icacls "C:\Windows\System32\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
888"C:\Windows\SysWOW64\tracerpt.exe"C:\Windows\SysWOW64\tracerpt.exe
NtHandleCallback.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Trace Report Tool
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tracerpt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=138.0.7204.169 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffc3cc596e8,0x7ffc3cc596f4,0x7ffc3cc59700C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
138.0.7204.169
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
63 182
Read events
63 066
Write events
105
Delete events
11

Modification events

(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:name
Value:
GoogleUpdater
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:AppID
Value:
{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:LocalService
Value:
GoogleUpdaterInternalService140.0.7272.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{20510F28-2A48-5A0C-B29F-D8150AF90AF8}
Operation:writeName:ServiceParameters
Value:
--com-service
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{688BD533-FF4B-5424-ADB1-295B5C987389}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{688BD533-FF4B-5424-ADB1-295B5C987389}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(6504) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{90A9770C-7287-5249-B78F-263562CAE1FD}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
36
Suspicious files
483
Text files
309
Unknown types
1

Dropped files

PID
Process
Filename
Type
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\is-A6JN4.tmp
MD5:
SHA256:
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\man.dat
MD5:
SHA256:
472setup.exeC:\Users\admin\AppData\Local\Temp\Google472_484684920\UPDATER.PACKED.7Z
MD5:
SHA256:
410486CB5F74AF900C505A558DD1C9018BC4.exeC:\Users\admin\AppData\Local\Temp\is-IEIL8.tmp\86CB5F74AF900C505A558DD1C9018BC4.tmpexecutable
MD5:7F832A1ACDB53B2CE325F3D2266141D5
SHA256:CE5CB9AE2ABA5CF87457B5AD3BD293CB10B0F031E637EC549355763CAFC5C610
3108unzip.exeC:\Users\Public\Documents\men.exeexecutable
MD5:32D6EE4492A442C35C6E82CD36D6557C
SHA256:1F8A204DACD1F803CA12D9C10132E7D63E308037248BFD5D87BE6C69620142C8
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\is-6D80O.tmpcompressed
MD5:7FAAD26963DF582F86048F6EF81AA842
SHA256:CAFFA3A856D5CA7AB1C9BDCEEA1E06C2901332C215A85B4011F98081998F8DD3
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\unzip.exeexecutable
MD5:AD9D7CBDB4B19FB65960D69126E3FF68
SHA256:A6C324F2925B3B3DBD2AD989E8D09C33ECC150496321AE5A1722AB097708F326
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\is-5E390.tmpexecutable
MD5:AD9D7CBDB4B19FB65960D69126E3FF68
SHA256:A6C324F2925B3B3DBD2AD989E8D09C33ECC150496321AE5A1722AB097708F326
670486CB5F74AF900C505A558DD1C9018BC4.tmpC:\Users\Public\Documents\Server.logbinary
MD5:C986A652069CD80A1417EDB4E28B1D2F
SHA256:8D92E4ED6470C4482251F758633BB0030BE577C098ADD044D1F473A0B907D15F
672086CB5F74AF900C505A558DD1C9018BC4.exeC:\Users\admin\AppData\Local\Temp\is-CHQB1.tmp\86CB5F74AF900C505A558DD1C9018BC4.tmpexecutable
MD5:7F832A1ACDB53B2CE325F3D2266141D5
SHA256:CE5CB9AE2ABA5CF87457B5AD3BD293CB10B0F031E637EC549355763CAFC5C610
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
149
DNS requests
154
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3948
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6504
updater.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6504
updater.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
6504
updater.exe
GET
200
142.250.185.163:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDPZmByDOs98xJONhjjIZaE
unknown
whitelisted
GET
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/diffgen-puffin/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D/90ee204561905aa512c564e6fd0e8182cfb9a2574f5ebc579bb7a89870bb4441
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1380
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1380
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6876
chrome.exe
GET
200
216.58.206.78:80
http://clients2.google.com/time/1/current?cup2key=9:Rz7ytO3KsyqLxtMG9CbifabC1KOEPcYjMKOCTTzrvrI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4944
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3948
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3948
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
6648
updater.exe
142.250.186.67:443
update.googleapis.com
GOOGLE
US
whitelisted
6504
updater.exe
142.250.185.110:443
dl.google.com
GOOGLE
US
whitelisted
6504
updater.exe
142.250.181.227:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 52.191.219.104
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.131
  • 20.190.159.64
  • 40.126.31.2
  • 40.126.31.0
  • 40.126.31.71
  • 40.126.31.128
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.17.190.73
whitelisted
update.googleapis.com
  • 142.250.186.67
whitelisted
dl.google.com
  • 142.250.185.110
whitelisted
c.pki.goog
  • 142.250.181.227
whitelisted
o.pki.goog
  • 142.250.185.163
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted

Threats

PID
Process
Class
Message
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox TCP Init Packet
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
ET MALWARE Winos4.0 Framework CnC Login Message CnC Server Response
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7044
NtHandleCallback.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Encrypted Client Packet
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
6876
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6876
chrome.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
888
tracerpt.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] SilverFox Keep-Alive Client Packet
Process
Message
men.exe
end
chrome.exe
I0000 00:00:1753491072.763831 8144 voice_transcription.cc:58] Registering VoiceTranscriptionCapability
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
86CB5F74AF900C505A558DD1C9018BC4.exe