File name:

CheatFinder.exe

Full analysis: https://app.any.run/tasks/48c4f06c-fad2-4430-8841-09bf0cd680a7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 31, 2025, 17:02:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
susp-powershell
golang
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

5F2E38A82FF689AF1033F8A6E75A010B

SHA1:

4BF403A0150E434056EC4FC78DB58E260AECE7AD

SHA256:

265336F5934AF0D201858EEF366CA37767ACD6D1B0051839792D4F62C664F023

SSDEEP:

98304:PxGteB5cmSzwrq67KQ4867iCi4p9/iAChvLWDolpemUt4tSwnadJaARFUf6jAJ4t:OZe6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALATSTEALER has been detected (YARA)

      • CheatFinder.exe (PID: 7804)

    • SALATSTEALER mutex has been found

      • CheatFinder.exe (PID: 7804)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • CheatFinder.exe (PID: 7608)

    • Application launched itself

      • CheatFinder.exe (PID: 7608)

    • There is functionality for taking screenshot (YARA)

      • CheatFinder.exe (PID: 7804)

    • Multiple wallet extension IDs have been found

      • CheatFinder.exe (PID: 7804)

  • INFO

    • Reads the computer name

      • CheatFinder.exe (PID: 7608)
      • CheatFinder.exe (PID: 7804)

    • Detects GO elliptic curve encryption (YARA)

      • CheatFinder.exe (PID: 7804)

    • Reads the machine GUID from the registry

      • CheatFinder.exe (PID: 7608)
      • CheatFinder.exe (PID: 7804)

    • Checks supported languages

      • CheatFinder.exe (PID: 7608)
      • CheatFinder.exe (PID: 7804)

    • Process checks computer location settings

      • CheatFinder.exe (PID: 7608)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • CheatFinder.exe (PID: 7804)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • CheatFinder.exe (PID: 7804)

    • Checks proxy server information

      • slui.exe (PID: 7260)

    • UPX packer has been detected

      • CheatFinder.exe (PID: 7804)

    • Application based on Golang

      • CheatFinder.exe (PID: 7804)

    • Found Base64 encoded file access via PowerShell (YARA)

      • CheatFinder.exe (PID: 7804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 3293184
InitializedDataSize: 4096
UninitializedDataSize: 8802304
EntryPoint: 0xb889f0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cheatfinder.exe no specs #SALATSTEALER cheatfinder.exe slui.exe svchost.exe ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4292"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7260C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7608"C:\Users\admin\AppData\Local\Temp\CheatFinder.exe" C:\Users\admin\AppData\Local\Temp\CheatFinder.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\cheatfinder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7804"C:\Users\admin\AppData\Local\Temp\CheatFinder.exe" C:\Users\admin\AppData\Local\Temp\CheatFinder.exe
CheatFinder.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\cheatfinder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
8076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 315
Read events
5 315
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
85
DNS requests
24
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
5308
svchost.exe
POST
200
40.126.31.129:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
5308
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1080
SIHClient.exe
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
1080
SIHClient.exe
GET
200
20.165.94.63:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
1080
SIHClient.exe
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
1176
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5308
svchost.exe
POST
200
40.126.31.129:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1176
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
408
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7804
CheatFinder.exe
8.8.4.4:443
dns.google
GOOGLE
US
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7804
CheatFinder.exe
188.114.97.3:443
CLOUDFLARENET
US
whitelisted
5308
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5308
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.251.208.14
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.73
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.2
  • 40.126.31.3
  • 20.190.159.71
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 72.246.29.11
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Salatstealer related domain (salator .es)
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7804
CheatFinder.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CheatFinder.exe