File name:

059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe

Full analysis: https://app.any.run/tasks/823ae4c2-769e-4963-a4b4-fe0c6f51517a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 00:46:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
sainbox
rat
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

9FCE0F0895A93B32551BFA7441CE7763

SHA1:

6C384DFB43EBDE6D22BD34D81A9F02D7C1477164

SHA256:

059E75624D43BADA5396251FB8EDC138A8213A78DE3107DA2306871068AB31CC

SSDEEP:

3072:e4K2sTc6zh4K2udIsNSpF1XkMs7U0C1LTO:eisT1diudINXkj1C1HO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALITY mutex has been found

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • SAINBOX has been detected

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • UAC/LUA settings modification

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Changes Security Center notification settings

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Process drops legitimate windows executable

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

  • INFO

    • Checks supported languages

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • The sample compiled with english language support

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Reads the computer name

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Checks proxy server information

      • slui.exe (PID: 6944)

    • Create files in a temporary directory

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Reads the software policy settings

      • slui.exe (PID: 6944)

    • UPX packer has been detected

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)

    • Creates files or folders in the user directory

      • 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1972:03:29 21:00:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 77824
InitializedDataSize: 69632
UninitializedDataSize: -
EntryPoint: 0x115c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: HaCkErS TeAM
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: FaCeBooK HaCk!nG TooL 2 V 1.3
OriginalFileName: FaCeBooK HaCk!nG TooL 2 V 1.3.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Users\admin\Desktop\059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe" C:\Users\admin\Desktop\059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe
explorer.exe
User:
admin
Company:
HaCkErS TeAM
Integrity Level:
MEDIUM
Version:
1.00
Modules
Images
c:\users\admin\desktop\059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6944C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 942
Read events
5 725
Write events
2 217
Delete events
0

Modification events

(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(2088) 059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallOverride
Value:
1
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2088059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:E54A1C9F1774174E950285F5F5DFC6FA
SHA256:0D59F05FAF8691523BDB1E8BE6ACDCC7ACD55A3ADEDAB21D99603EDC135EED8C
2088059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeC:\Users\admin\AppData\Local\Temp\winxwls.exeexecutable
MD5:E92D3A824A0578A50D2DD81B5060145F
SHA256:87F53BC444C05230CE439DBB127C03F2E374067D6FB08E91C834371FD9ECF661
2088059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exeC:\Windows\system.inibinary
MD5:E8D497C7C3A366B4D44819993F7A137C
SHA256:6A40438CB18E6DEEDB837387B9207D2A6AFA0EC2EB2513AF0E541047B409BCE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6244
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6944
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
059e75624d43bada5396251fb8edc138a8213a78de3107da2306871068ab31cc.exe