File name:

Desktop.zip

Full analysis: https://app.any.run/tasks/5d1aa11b-6cfc-4a2d-92ec-26aa1960518d
Verdict: Malicious activity
Threats:

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 13:23:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
sality
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

CCF57D5C453DB2B82AC9E6683CEEE827

SHA1:

D7175945B43B3CDB405C6F94D24AD099247D1AC1

SHA256:

0F723057F188B278B2AAA185B821E816E15D50D3C669CB99778EEB4A7F24B63A

SSDEEP:

6144:nBko9+TUkNi28q8HcgyqO765A4V5bomzZ9sC2i7QmQgHXf4VTPaIYp:Bko9+TUDyDgy776bVXsC2i7QPQU6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6044)

    • Disables Windows firewall

      • Sality.AU' in file setup.exe (PID: 7628)

    • UAC/LUA settings modification

      • Sality.AU' in file setup.exe (PID: 7628)

    • Changes Security Center notification settings

      • Sality.AU' in file setup.exe (PID: 7628)

    • Disables task manager

      • Sality.AU' in file setup.exe (PID: 7628)

    • Changes firewall settings

      • Sality.AU' in file setup.exe (PID: 7628)

    • SALITY mutex has been found

      • Sality.AU' in file setup.exe (PID: 7628)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 6044)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6044)

    • Starts a Microsoft application from unusual location

      • Sality.AU' in file setup.exe (PID: 7628)
      • Sality.AU' in file setup.exe (PID: 7548)

    • Read disk information to detect sandboxing environments

      • hkcmd.exe (PID: 7428)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6044)

    • Manual execution by a user

      • hkcmd.exe (PID: 7428)
      • hkcmd.exe (PID: 7240)
      • Sality.AU' in file setup.exe (PID: 7548)
      • Sality.AU' in file setup.exe (PID: 7628)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6044)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7680)

    • Reads the computer name

      • Sality.AU' in file setup.exe (PID: 7628)

    • Checks supported languages

      • ShellExperienceHost.exe (PID: 7208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:24 13:15:08
ZipCRC: 0xdd4529d2
ZipCompressedSize: 50973
ZipUncompressedSize: 118784
ZipFileName: hccutils.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs hkcmd.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs hkcmd.exe sality.au' in file setup.exe no specs #SALITY sality.au' in file setup.exe shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1180C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4040"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4920"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6044"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Desktop.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7208"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
7240"C:\Users\admin\Desktop\hkcmd.exe" C:\Users\admin\Desktop\hkcmd.exe
explorer.exe
User:
admin
Company:
Intel Corporation
Integrity Level:
HIGH
Description:
hkcmd Module
Exit code:
0
Version:
3.0.0.4020
Modules
Images
c:\users\admin\desktop\hkcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7428"C:\Users\admin\Desktop\hkcmd.exe" C:\Users\admin\Desktop\hkcmd.exeexplorer.exe
User:
admin
Company:
Intel Corporation
Integrity Level:
MEDIUM
Description:
hkcmd Module
Exit code:
0
Version:
3.0.0.4020
Modules
Images
c:\users\admin\desktop\hkcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7472"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
7548"C:\Users\admin\Desktop\Sality.AU' in file setup.exe" C:\Users\admin\Desktop\Sality.AU' in file setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\sality.au' in file setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7628"C:\Users\admin\Desktop\Sality.AU' in file setup.exe" C:\Users\admin\Desktop\Sality.AU' in file setup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
1
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\sality.au' in file setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
46 655
Read events
46 596
Write events
59
Delete events
0

Modification events

(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Desktop.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
3
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7680BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\1509a54c-86b3-4b5c-bee2-17f19d4f98f3.down_data
MD5:
SHA256:
7680BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:4872BABAF39AA62B8D32695EBB7E9173
SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
7680BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\1509a54c-86b3-4b5c-bee2-17f19d4f98f3.fd0573ee-e4e0-4344-986b-3ffe8c2b9e96.down_metabinary
MD5:48E999CEDA3DAA9B683A3FE4E2AEF094
SHA256:D38CB41F56F4A130156410FB75B9DCAAF571E4E9BC7B23A1C21C7FDF0EE5E62F
7628Sality.AU' in file setup.exeC:\Windows\system.inibinary
MD5:28F96958B655AFDDF401898828C2532A
SHA256:BF838CAC4151E3F24EBB6E8DAFADAEDE1321D6BE338CDDED604D20252DDEE160
6044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6044.43505\Sality.AU' in file 'setup.exe'executable
MD5:FDC45D4E334BEF9FE31D72B47006921D
SHA256:FEADDC233C8BA06B816EF9F7189E333EE0D6CD3490AA2B3C08331B358421A015
7680BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2fa40eb1-0835-4503-8459-27a072580def.fd0573ee-e4e0-4344-986b-3ffe8c2b9e96.down_metabinary
MD5:48E999CEDA3DAA9B683A3FE4E2AEF094
SHA256:D38CB41F56F4A130156410FB75B9DCAAF571E4E9BC7B23A1C21C7FDF0EE5E62F
6044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6044.43505\hccutils.dllexecutable
MD5:129A8BC118B57FA1F4145E9B14E4A50C
SHA256:F0803CDF24DB29A6F795C91CDF8BC4D11E5017B8CDF7D818158DF67582E524BA
6044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6044.43505\hkcmd.exeexecutable
MD5:472181A5772ACD07E7C236F49DA8D4D3
SHA256:97B9B58EAD8F3D4560C3CE31B3CEC9131EE11247B095CBCC16007DDE3ACDB8D4
7628Sality.AU' in file setup.exeC:\Windows\ST6UNST.000text
MD5:9940604D92C6460226F33C3EFF667846
SHA256:A60E84F4CE6F1FC0742D797571F89FB9D329603BDC0C4021E20ABF1E4729F5C6
7680BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:7F98D42F33D9600E1A651F7873EFDF6C
SHA256:35FE8F7071E3A6AEBE30181EE73B3756FBE7A21321D3602229C3BF1256D1A86F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
7020
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
unknown
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
7680
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
5984
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
5984
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
unknown
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
unknown
7020
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
7020
backgroundTaskHost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
unknown
7680
BackgroundTransferHost.exe
2.16.204.135:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
unknown
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.180
  • 23.48.23.177
  • 23.48.23.162
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.159
unknown
client.wns.windows.com
  • 40.113.110.67
unknown
login.live.com
  • 20.190.159.128
  • 40.126.31.67
  • 20.190.159.130
  • 20.190.159.64
  • 20.190.159.129
  • 40.126.31.129
  • 40.126.31.1
  • 20.190.159.131
unknown
ocsp.digicert.com
  • 184.30.131.245
unknown
arc.msn.com
  • 20.199.58.43
unknown
www.bing.com
  • 2.16.204.135
  • 2.16.204.155
  • 2.16.204.143
  • 2.16.204.147
  • 2.16.204.136
  • 2.16.204.157
  • 2.16.204.160
  • 2.16.204.161
  • 2.16.204.134
unknown
slscr.update.microsoft.com
  • 20.109.210.53
unknown
www.microsoft.com
  • 23.219.150.101
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.zip