File name:

ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe

Full analysis: https://app.any.run/tasks/ba0db84f-cb6f-439a-b7b9-2ba80078d3f3
Verdict: Malicious activity
Threats:

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Malware Trends Tracker     >>>
Analysis date: April 08, 2026, 16:58:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B46F1FFFFF7B60C566EC39295D340C4F

SHA1:

623B55F6AACCC9F435599769CEA4CDE053F2515B

SHA256:

DDFE2C124B4478D13589E5EFBFDF9DEAB899AFA2C46F01A13F4B97B06C2E3055

SSDEEP:

98304:eSU8sy0SCRRROBSvSS5i4f01Etq6NUsd8BYSywRp4E59D/vIbkM6J9X+3sR1ySKZ:Ikzkd4QJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Security Center notification settings

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • SALITY mutex has been found

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

  • INFO

    • The sample compiled with chinese language support

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • Reads the computer name

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • Checks supported languages

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • Create files in a temporary directory

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • UPX packer has been detected

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • Reads the machine GUID from the registry

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)

    • There is functionality for taking screenshot (YARA)

      • ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe (PID: 7224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:02:06 11:36:27+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 782336
InitializedDataSize: 3629056
UninitializedDataSize: -
EntryPoint: 0x9b535
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.dywt.com.cn)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7224"C:\Users\admin\Desktop\ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe" C:\Users\admin\Desktop\ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7408C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 295
Read events
3 937
Write events
358
Delete events
0

Modification events

(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a1_25
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a2_25
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a3_25
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a4_25
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a1_26
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a2_26
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a3_26
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a4_26
Value:
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a1_27
Value:
537586591
(PID) Process:(7224) ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeKey:HKEY_CURRENT_USER\SOFTWARE\Aaspp
Operation:writeName:a2_27
Value:
512340977
Executable files
0
Suspicious files
0
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
7224ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeC:\Users\admin\Desktop\ÅäÖÃ9.inibinary
MD5:8B1B025B979FFA2BB77642BC742AFB26
SHA256:20191180E721AC3A78BFE6740EEA87FA1DC96077BC3BC838C30213DD46E8740F
7224ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeC:\Users\admin\AppData\Local\Temp\E2EECore.2.7.2.dllbinary
MD5:8B6C94BBDBFB213E94A5DCB4FAC28CE3
SHA256:982A177924762F270B36FE34C7D6847392B48AE53151DC2011078DCEEF487A53
7224ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeC:\Windows\system.inibinary
MD5:61236225DF50D29B6F814E325F6E2C28
SHA256:44C36FB6535886091C931340321A21122CE4A9E403D2C46CD99800EAE17ABDF5
7224ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeC:\Users\admin\AppData\Local\Temp\winipitm.exebinary
MD5:25AA9BB549ECC7BB6100F8D179452508
SHA256:DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
7224ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exebinary
MD5:CF1A1B2A6F227D5B06AB0B3C8B88618B
SHA256:1FD250A499B2912B1ACEC31A03CAA32F1B328F2861E1383E94F23386F724FB36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
19
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7424
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7408
slui.exe
POST
500
128.24.231.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
7408
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
3280
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
3280
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
7424
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
3280
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
23.216.77.39:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7380
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7424
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7424
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7424
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5208
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7408
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 192.178.183.113
  • 192.178.183.100
  • 192.178.183.101
  • 192.178.183.138
  • 192.178.183.102
  • 192.178.183.139
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.20
  • 23.216.77.41
  • 23.216.77.22
  • 23.216.77.25
  • 23.216.77.21
  • 23.216.77.13
  • 23.216.77.15
  • 23.216.77.39
  • 23.216.77.35
  • 23.216.77.37
  • 23.216.77.42
  • 23.216.77.38
  • 23.216.77.30
  • 23.216.77.32
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ddfe2c124b4478d13589e5efbfdf9deab899afa2c46f01a13f4b97b06c2e3055.exe