File name:

server.exe

Full analysis: https://app.any.run/tasks/a2e464e8-1d50-40ed-a88f-2cb57330aed2
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 01:53:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
sainbox
rat
revengerat
netreactor
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A51261B21385056C02C8C3AD23358FF6

SHA1:

6DADDF2B3AB82FC55091344D34C39E2F760E24A2

SHA256:

DDBB13C9C2171AFD540CFBD2833098D87837A4D81A09337D6C24CFFD94429D4C

SSDEEP:

24576:BhDe2DUpCAyF8tnlrnVPQUpqJSeHdY9trjPqzsKF99c:BhDe2DUgAyF8tnhnVYUKdY9trjPysKFM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALITY mutex has been found

      • server.exe (PID: 7408)

    • UAC/LUA settings modification

      • server.exe (PID: 7408)

    • Changes Security Center notification settings

      • server.exe (PID: 7408)

    • SAINBOX has been detected

      • server.exe (PID: 7408)

    • REVENGERAT has been detected (YARA)

      • server.exe (PID: 7408)

  • SUSPICIOUS

    • Application launched itself

      • server.exe (PID: 7408)

    • Creates file in the systems drive root

      • server.exe (PID: 7720)

    • Connects to FTP

      • server.exe (PID: 7408)

    • There is functionality for taking screenshot (YARA)

      • server.exe (PID: 7408)

    • Executable content was dropped or overwritten

      • server.exe (PID: 7408)

    • Reads security settings of Internet Explorer

      • server.exe (PID: 7408)

    • Executes application which crashes

      • InstallUtil.exe (PID: 4336)

    • Process drops legitimate windows executable

      • server.exe (PID: 7408)

  • INFO

    • Checks supported languages

      • server.exe (PID: 7408)
      • server.exe (PID: 7472)
      • temp.exe (PID: 5392)
      • InstallUtil.exe (PID: 4336)

    • Reads the computer name

      • server.exe (PID: 7408)
      • server.exe (PID: 7472)
      • temp.exe (PID: 5392)

    • Create files in a temporary directory

      • server.exe (PID: 7472)
      • server.exe (PID: 7408)
      • temp.exe (PID: 5392)

    • .NET Reactor protector has been detected

      • server.exe (PID: 7408)

    • UPX packer has been detected

      • server.exe (PID: 7408)

    • The sample compiled with english language support

      • server.exe (PID: 7408)

    • Process checks computer location settings

      • server.exe (PID: 7408)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5308)

    • Checks proxy server information

      • slui.exe (PID: 7324)

    • Reads the software policy settings

      • slui.exe (PID: 7324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (28.2)
.exe | InstallShield setup (16.6)
.exe | Win32 Executable MS Visual C++ (generic) (12)
.exe | Win64 Executable (generic) (10.6)
.exe | UPX compressed Win32 Executable (10.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:08:19 13:24:27+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 25088
InitializedDataSize: 6144
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
10
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY server.exe server.exe no specs server.exe no specs conhost.exe no specs temp.exe no specs temp.exe no specs temp.exe installutil.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1184"C:\Users\admin\AppData\Local\Temp\temp.exe" C:\Users\admin\AppData\Local\Temp\temp.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\temp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2088"C:\Users\admin\AppData\Local\Temp\temp.exe"C:\Users\admin\AppData\Local\Temp\temp.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\temp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4336"C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
temp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Framework installation utility
Exit code:
3221225477
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
5308C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4336 -s 244C:\Windows\SysWOW64\WerFault.exeInstallUtil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5392"C:\Users\admin\AppData\Local\Temp\temp.exe" C:\Users\admin\AppData\Local\Temp\temp.exe
server.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\temp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\mscoree.dll
7324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7408"C:\Users\admin\Desktop\server.exe" C:\Users\admin\Desktop\server.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7472 /stext C:\Users\admin\AppData\Local\Temp\temp.txtC:\Users\admin\Desktop\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\server.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7720"C:\Users\admin\Desktop\server.exe"C:\Users\admin\Desktop\server.exeserver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
7728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
5 780
Read events
5 717
Write events
60
Delete events
3

Modification events

(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(7408) server.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallOverride
Value:
1
Executable files
3
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_InstallUtil.exe_0b12cf0b2ff50d7223ff18ecbaaf1aee713c92e_14e788bc_3ec6a53b-4038-483b-b650-58cc77f6465a\Report.wer
MD5:
SHA256:
7472server.exeC:\Users\admin\AppData\Local\Temp\temp.txttext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7408server.exeC:\Users\admin\AppData\Local\Temp\temp.txtbinary
MD5:C3F88DABCD53F4E95838F4C110E7760F
SHA256:0217F0CBFD7577ECAAE68EB2B7DAFE77C53FAE1F76EE16BEBAD5E8F76EA7F8BD
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5774.tmp.dmpbinary
MD5:75931DF321D00FDBBCD0A3F64A266A16
SHA256:6352B085E935A7C21916B37EA74AA1A60720A86CFBA1387E72461D369F4291EC
5392temp.exeC:\Users\admin\AppData\Local\Temp\oZblRvZwfR.txttext
MD5:1DC8AE5673BCA7E94000D0AF9C6D840C
SHA256:8D112ACC21CFCDB02DED0268050360721305869EF58BBB57FD5D54FADDACCE46
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER57C3.tmp.WERInternalMetadata.xmlbinary
MD5:EB6D8E5E4BDEA36EB62337F07665A13A
SHA256:83659BDEE28CE3608798077002EC223A046D7640E371FE7E6D13FBFBC481DDBE
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER57F3.tmp.xmlxml
MD5:172CA5695C554A41FA323B6917315363
SHA256:E73B45935FFCC587F4C8041EDE96A926886C58E82646F481FE0B14806CA7212E
5308WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:D54B5C52796BA1BD5224014F55EA1172
SHA256:F0C8F4F2057585EF4C485C7BC0D87E4C630E0698D969620A46EEF1EE8BBDA1BD
7408server.exeC:\Users\admin\AppData\Local\Temp\ltmwrd.exeexecutable
MD5:25AA9BB549ECC7BB6100F8D179452508
SHA256:DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
7408server.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
53
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
660
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
660
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8084
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
660
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
660
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
660
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 2.20.245.137
  • 2.20.245.139
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.219.150.101
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.131
  • 20.190.159.71
  • 40.126.31.0
  • 40.126.31.130
  • 40.126.31.129
  • 40.126.31.73
  • 40.126.31.3
whitelisted
brazilianluffydance.fwh.is
  • 185.27.134.137
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
server.exe