File name:

1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8

Full analysis: https://app.any.run/tasks/5b7b9e26-2ade-430a-a636-5a7e5b56bfbf
Verdict: Malicious activity
Threats:

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Malware Trends Tracker     >>>
Analysis date: November 30, 2024, 07:52:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sality
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

2091A92ABF5013A9B59DD3294F824659

SHA1:

3272D9884AED8A81BDDA8A1D8CB57F3B10DEE4E9

SHA256:

1C8CF5275A67700379266BC7435B3C0E0EE8CB6447F7A233FB30A841E90F2FA8

SSDEEP:

98304:Qrd4tZGzlyTNr4Imlx5/nZ1DcpZW4tiAKPmbYBckssN7xDnymDoYvmJLYmkPV5vx:XW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes firewall settings

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)
      • 65F1.tmp.exe (PID: 6720)

    • UAC/LUA settings modification

      • 65F1.tmp.exe (PID: 6720)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Changes Security Center notification settings

      • 65F1.tmp.exe (PID: 6720)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • SALITY mutex has been found

      • 65F1.tmp.exe (PID: 6720)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)
      • ShellExperienceHost.exe (PID: 6764)

    • Starts itself from another location

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Executable content was dropped or overwritten

      • 65F1.tmp.exe (PID: 6720)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Process drops legitimate windows executable

      • 65F1.tmp.exe (PID: 6720)

    • Drops a file with a rarely used extension (PIF)

      • 65F1.tmp.exe (PID: 6720)

    • Creates file in the systems drive root

      • 65F1.tmp.exe (PID: 6720)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

  • INFO

    • Reads the computer name

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)
      • ShellExperienceHost.exe (PID: 6764)
      • 65F1.tmp.exe (PID: 6720)

    • Process checks computer location settings

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Create files in a temporary directory

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)
      • 65F1.tmp.exe (PID: 6720)

    • The process uses the downloaded file

      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Checks supported languages

      • 65F1.tmp.exe (PID: 6720)
      • ShellExperienceHost.exe (PID: 6764)
      • 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe (PID: 6572)

    • Creates files in the program directory

      • 65F1.tmp.exe (PID: 6720)

    • Creates files or folders in the user directory

      • 65F1.tmp.exe (PID: 6720)

    • Reads the machine GUID from the registry

      • 65F1.tmp.exe (PID: 6720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:30 08:54:22+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 3163136
InitializedDataSize: 1903104
UninitializedDataSize: -
EntryPoint: 0x2850a7
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.10.3287.80
ProductVersionNumber: 3.10.3287.80
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tencent
FileDescription: 腾讯手游助手 - 卸载程序
FileVersion: 3.10.3287.80
InternalName: UnInstall
LegalCopyright: Copyright © 2020 Tencent. All Rights Reserved.
OriginalFileName: UnInstall.exe
ProductName: UnInstall.exe
ProductVersion: 3,10,3287,80
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe #SALITY 65f1.tmp.exe shellexperiencehost.exe no specs 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6408"C:\Users\admin\Desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe" C:\Users\admin\Desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6572"C:\Users\admin\Desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe" C:\Users\admin\Desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6720"C:\Users\admin\AppData\Local\Temp\65F1.tmp.exe" -u -product_regkey MobileGamePCC:\Users\admin\AppData\Local\Temp\65F1.tmp.exe
1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\65f1.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6764"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
Total events
2 490
Read events
2 205
Write events
204
Delete events
81

Modification events

(PID) Process:(6720) 65F1.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\DeviceInfo
Operation:writeName:glVendor
Value:
Unknown
(PID) Process:(6720) 65F1.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\DeviceInfo
Operation:writeName:glRender
Value:
GDI Generic
(PID) Process:(6720) 65F1.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\Beacon
Operation:writeName:Last_Sid_65F1.tmp.exe
Value:
5932B1F9-913A-431E-AC13-FF7C6C428C07
(PID) Process:(6720) 65F1.tmp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:UserLanguage
Value:
zh_CN
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(6572) 1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
Executable files
9
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
672065F1.tmp.exe
MD5:
SHA256:
65721c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeC:\test.tmpbinary
MD5:44576FF153418370AFB9C2FF9576E852
SHA256:3E3563EBA2C5733F0EA02621262222F39CDD2C214A6E7F62C01D5D5EAF3A57DF
672065F1.tmp.exeC:\Users\admin\AppData\Local\Temp\6787.tmpexecutable
MD5:E58C7D21A08F8038F2D69CBBAE4E7484
SHA256:7083BBA256B59C5E9BA62F700B858E0968169653CEC8284E5E0C6E0098E9E191
65721c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeC:\Windows\system.inibinary
MD5:D3620ADAB7A84EB7F705184D29F49FA5
SHA256:AC8248EBF536DC1FF94B7A7A190A61AC0F6D2380D11963FFBD5F2F7CCA3DCABB
65721c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeC:\Users\admin\AppData\Local\Temp\rroa.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
672065F1.tmp.exeC:\Users\admin\AppData\Local\Temp\winrxxcg.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
672065F1.tmp.exeC:\Users\admin\AppData\Local\Temp\winesehc.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
672065F1.tmp.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeexecutable
MD5:A381F316544549B9927AC43300477CA9
SHA256:29E9BBA3BB07825630993EFFFDE61BE5545587F2CD01D2B753F7BEFAF2316018
65721c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8.exeC:\Users\admin\AppData\Local\Temp\65F1.tmp.exeexecutable
MD5:2091A92ABF5013A9B59DD3294F824659
SHA256:1C8CF5275A67700379266BC7435B3C0E0EE8CB6447F7A233FB30A841E90F2FA8
672065F1.tmp.exeC:\pcjtx.pifexecutable
MD5:6DED3C657CF2B5A4710E6F2FD3873ED2
SHA256:6AEDCCB2BA08D9F99AFAC4D96AA41272B4D7CBE0DA89274DD34C34B017CCCEFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
29
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
716
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
716
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
716
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.212.110.201:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
716
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6720
65F1.tmp.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
whitelisted
6720
65F1.tmp.exe
101.33.47.206:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 23.212.110.201
  • 23.212.110.145
  • 23.212.110.203
  • 23.212.110.209
  • 23.212.110.219
  • 23.212.110.136
  • 23.212.110.139
  • 23.212.110.218
  • 23.212.110.138
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.206
  • 101.33.47.68
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
self.events.data.microsoft.com
  • 40.79.150.120
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1c8cf5275a67700379266bc7435b3c0e0ee8cb6447f7a233fb30a841e90f2fa8