File name:

baka.loader.2.exe

Full analysis: https://app.any.run/tasks/0d60bfed-faa2-4ebc-b6e5-5e33c4ff524a
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 12, 2025, 15:48:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
sainbox
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

52B94DDD4DA55AD4EE05BF87580EED81

SHA1:

9C6EC89F1AA6AD38F5E9BF19B09836F83CC6966C

SHA256:

7EBBCF3365712D3EB9C25214B4CEF37B252F84FF32892612B216AD66247DDEF7

SSDEEP:

6144:Q3hdpCua451MQT2whvJ0tSTmxKip4RTnFWwVD9+P0x/lxHVZMdyaGLNopmghrS6U:Q3hdEr45HFWS+hYhu6POhNODHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • baka.loader.2.exe (PID: 6040)

    • SAINBOX has been detected

      • baka.loader.2.exe (PID: 6040)

    • SALITY mutex has been found

      • baka.loader.2.exe (PID: 6040)

    • Changes Security Center notification settings

      • baka.loader.2.exe (PID: 6040)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • baka.loader.2.exe (PID: 6040)

    • The sample compiled with english language support

      • baka.loader.2.exe (PID: 6040)

    • Create files in a temporary directory

      • baka.loader.2.exe (PID: 6040)

    • Reads the computer name

      • baka.loader.2.exe (PID: 6040)

    • Checks proxy server information

      • slui.exe (PID: 4608)

    • Reads the software policy settings

      • slui.exe (PID: 4608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (69.4)
.exe | Win64 Executable (generic) (23.3)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:04:24 16:38:58+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 225280
InitializedDataSize: 24576
UninitializedDataSize: -
EntryPoint: 0x1ee4
OSVersion: 4
ImageVersion: 2
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.250
ProductVersionNumber: 2.0.0.250
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
LegalCopyright: baka@hotmail.se
ProductName: baka.loader.2
FileVersion: 2.00.0250
ProductVersion: 2.00.0250
InternalName: baka.loader.2
OriginalFileName: baka.loader.2.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY baka.loader.2.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4608C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6040"C:\Users\admin\Desktop\baka.loader.2.exe" C:\Users\admin\Desktop\baka.loader.2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.00.0250
Modules
Images
c:\users\admin\desktop\baka.loader.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 556
Read events
3 531
Write events
25
Delete events
0

Modification events

(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(6040) baka.loader.2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallOverride
Value:
1
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6040baka.loader.2.exeC:\Users\admin\AppData\Local\Temp\~DF6D7829164F276316.TMPbinary
MD5:B3D58DCC94577E2C072716524F165C62
SHA256:3047D4C348760A6A13CBBC05CA440E4624AAC16AA3DBFE2C3FD67F5423150ECE
6040baka.loader.2.exeC:\Windows\system.inibinary
MD5:364479A4C2C542FD2D25869D88EB4028
SHA256:12B781125417AEEF6623C99D00CA6E7777659F79350B3E2484535217387FBC44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
42
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
svchost.exe
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2920
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
6620
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6620
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2920
svchost.exe
104.124.11.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4268
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6620
SIHClient.exe
104.124.11.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2920
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 104.124.11.19
  • 104.124.11.58
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
login.live.com
  • 20.190.159.131
  • 20.190.159.75
  • 20.190.159.71
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.131
  • 40.126.31.71
  • 40.126.31.73
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
baka.loader.2.exe