File name:	62b60a03728c4c9d25d2ed0403dc489dd3b19530409eccf2803884307da48bbb
Full analysis:	https://app.any.run/tasks/53771f01-ca12-472c-adb9-6af026502117
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. Malware Trends Tracker >>>
Analysis date:	April 13, 2025, 00:03:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sality sainbox rat upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 2 sections
MD5:	BEB26B55F488CA4C9573EB3A556C0879
SHA1:	04A11FED6730F05A826260E855A154C605CACDFC
SHA256:	62B60A03728C4C9D25D2ED0403DC489DD3B19530409ECCF2803884307DA48BBB
SSDEEP:	3072:8p6oLFltRCbGvy8rm0Cj/ruWaJBL9yeYfZ9glohWb9N:8p6GtwKrmrD7YBJyeYTOog9N

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:11:05 20:30:50+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit, DLL
PEType:	PE32
LinkerVersion:	6
CodeSize:	121856
InitializedDataSize:	512
UninitializedDataSize:	-
EntryPoint:	0x1e9b7
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	AntiVirusOverride
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	AntiVirusDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallOverride
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	UpdatesDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	UacDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:	write	Name:	AntiVirusOverride
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:	write	Name:	AntiVirusDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:	write	Name:	FirewallDisableNotify
Value: 1
(PID) Process:	(7464) 10ce3f.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:	write	Name:	FirewallOverride
Value: 1

PID	Process	Filename		Type
7464	10ce3f.exe	C:\Users\admin\AppData\Local\Temp\winppwdi.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
7452	rundll32.exe	C:\Users\admin\AppData\Local\Temp\10d9d7.exe		executable
		MD5:9A60723EDFC1F138BC4704EC09A4B789	SHA256:2CA9556D7107903D3107695FF2FEF63059CF13C108AF822D4E14D4413017BD00
7464	10ce3f.exe	C:\Windows\system.ini		binary
		MD5:5AC49DF127DB5FDC116A78CF9D7781BF	SHA256:84A7058B0E06FD395C15B1F40FD4A2C8C9BEF6FB9BF1171CBDFE082DCB05EA57
7452	rundll32.exe	C:\Users\admin\AppData\Local\Temp\10ce3f.exe		executable
		MD5:9A60723EDFC1F138BC4704EC09A4B789	SHA256:2CA9556D7107903D3107695FF2FEF63059CF13C108AF822D4E14D4413017BD00
7452	rundll32.exe	C:\Users\admin\AppData\Local\Temp\10d9f7.exe		executable
		MD5:9A60723EDFC1F138BC4704EC09A4B789	SHA256:2CA9556D7107903D3107695FF2FEF63059CF13C108AF822D4E14D4413017BD00
7788	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-13.0003.7788.1.aodl		binary
		MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3	SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
7452	rundll32.exe	C:\Users\admin\AppData\Local\Temp\10ceea.exe		executable
		MD5:9A60723EDFC1F138BC4704EC09A4B789	SHA256:2CA9556D7107903D3107695FF2FEF63059CF13C108AF822D4E14D4413017BD00
7600	10d9f7.exe	C:\Users\admin\AppData\Local\Temp\difki.exe		executable
		MD5:B360FA63134A63F9ACFE046D2DFE10D9	SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
7788	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-04-13.0003.7788.1.odl		binary
		MD5:9030C5852A5AC4096DACDC9654E52C52	SHA256:9BC68830C8FC8E6A99A160D4864B1032FEFB2A4F46C6C3AF60E21EF4BC04E0BF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3896	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8040	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.186.78	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

62b60a03728c4c9d25d2ed0403dc489dd3b19530409eccf2803884307da48bbb

BEB26B55F488CA4C9573EB3A556C0879

04A11FED6730F05A826260E855A154C605CACDFC

62B60A03728C4C9D25D2ED0403DC489DD3B19530409ECCF2803884307DA48BBB

3072:8p6oLFltRCbGvy8rm0Cj/ruWaJBL9yeYfZ9glohWb9N:8p6GtwKrmrD7YBJyeYTOog9N

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes Security Center notification settings

UAC/LUA settings modification

SALITY has been detected

SAINBOX has been detected

SALITY mutex has been found

Runs injected code in another process

Application was injected by another process

SUSPICIOUS

Executable content was dropped or overwritten

INFO

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Checks supported languages

UPX packer has been detected

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings