File name:	Clash_Verge.exe
Full analysis:	https://app.any.run/tasks/10161c44-56ca-4c27-9266-ab1f2172b1ea
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 21, 2026, 17:14:35
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	salatstealer stealer ms-smartcard upx susp-powershell golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	4BE03E4FEFE07A0B6ECF91554C608B74
SHA1:	968DDD3F2987ADFB06C3DE3593C5DB7A6E16468D
SHA256:	3518B7577B7D346FB65076135D746D059C8BC8C6E50482DC7EFD5EDF598C4D59
SSDEEP:	196608:U3fySkEdvEaReO1yrtEz/6tf3eYoSQkQaSQfzyf0ComgZWnMySBziIBmNa9sQtk:sdX/RwmzCBuiQkbDO0CgWn4XBAa9dC

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:06:15 16:44:28+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	5.12
CodeSize:	3584
InitializedDataSize:	37554176
UninitializedDataSize:	-
EntryPoint:	0x1ae1
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.4.0.0
ProductVersionNumber:	2.4.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Clash Verge Rev
FileVersion:	2.4.0
LegalCopyright:	GNU General Public License v3.0
ProductName:	Clash Verge
ProductVersion:	2.4.0


(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe
Operation:	write	Name:	DisableExceptionChainValidation
Value: 0
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{4763A658-1D6E-487B-B957-73C43FEB3F63}
Operation:	write	Name:	PersistedPingString
Value: <?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.195.65" shell_version="1.3.147.37" ismachine="1" sessionid="{ADFE6F9A-7E0F-4CCC-B13A-A7C368D9E8DC}" userid="{FD984739-A122-4DB0-BE5B-46E3E09D84E4}" installsource="otherinstallcmd" requestid="{4763A658-1D6E-487B-B957-73C43FEB3F63}" dedup="cr" domainjoined="0"><hw logical_cpus="6" physmemory="6" disk_type="2" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="10.0.19045.4046" sp="" arch="x64" product_type="48" is_wip="0" is_in_lockdown_mode="0"/><oem product_manufacturer="DELL" product_name="DELL"/><exp etag=""r452t1+k2Tgq/HXzjvFNBRhopBWR9sbjXxqeUDH9uX0=""/><app appid="{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}" version="1.3.195.43" nextversion="1.3.195.65" lang="" brand="" client=""><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" system_uptime_ticks="20145269834" install_time_ms="235"/></app></request>
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{4763A658-1D6E-487B-B957-73C43FEB3F63}
Operation:	write	Name:	PersistedPingTime
Value: 134161677098137082
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\EdgeUpdate\proxy
Operation:	write	Name:	source
Value: auto
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\PersistedPings\{4763A658-1D6E-487B-B957-73C43FEB3F63}
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	\REGISTRY\A\{fea04e59-a9ad-ee79-6a3d-3ca96bad5615}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	\REGISTRY\A\{fea04e59-a9ad-ee79-6a3d-3ca96bad5615}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6516) wermgr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:	write	Name:	ClockTimeSeconds
Value: 1FE8996900000000
(PID) Process:	(6516) wermgr.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
Operation:	write	Name:	TickCount
Value: EAC31E0000000000
(PID) Process:	(2868) MicrosoftEdgeUpdate.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Timings
Operation:	write	Name:	setup_lock_acquire_ms
Value: 0400000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
8892	Clash_Verge.exe	C:\Users\admin\AppData\Local\Temp\Clash.Verge_2.4.0_x64-setup.exe		—
		MD5:—	SHA256:—
8632	Clash.Verge_2.4.0_x64-setup.exe	C:\Users\admin\AppData\Local\Temp\nse7222.tmp\LangDLL.dll		binary
		MD5:68B287F4067BA013E34A1339AFDB1EA8	SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
8632	Clash.Verge_2.4.0_x64-setup.exe	C:\Users\admin\AppData\Local\Temp\nse7222.tmp\modern-wizard.bmp		binary
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
7924	Clash.Verge.exe	C:\Program Files (x86)\WindowsPowerShell\ApplicationFrameHost.exe		binary
		MD5:680080A76559191EC1BBA58C72FF0C1E	SHA256:5D243591389DA9B6AC88AC2D30D3B19AFA2E5637DCC8B2865119BD3CB51AC276
8892	Clash_Verge.exe	C:\Users\admin\AppData\Local\Temp\Clash.Verge.exe		binary
		MD5:680080A76559191EC1BBA58C72FF0C1E	SHA256:5D243591389DA9B6AC88AC2D30D3B19AFA2E5637DCC8B2865119BD3CB51AC276
7924	Clash.Verge.exe	C:\Users\admin\AppData\Local\MicrosoftEdge\spoolsv.exe		binary
		MD5:680080A76559191EC1BBA58C72FF0C1E	SHA256:5D243591389DA9B6AC88AC2D30D3B19AFA2E5637DCC8B2865119BD3CB51AC276
2424	spoolsv.exe	C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe		binary
		MD5:680080A76559191EC1BBA58C72FF0C1E	SHA256:5D243591389DA9B6AC88AC2D30D3B19AFA2E5637DCC8B2865119BD3CB51AC276
8632	Clash.Verge_2.4.0_x64-setup.exe	C:\Users\admin\AppData\Local\Temp\nse7222.tmp\StartMenu.dll		binary
		MD5:D070F3275DF715BF3708BEFF2C6C307D	SHA256:42DD4DDA3249A94E32E20F76EAFFAE784A5475ED00C60EF0197C8A2C1CCD2FB7
8800	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fg3ohsp0.5so.psm1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8796	MicrosoftEdgeWebview2Setup.exe	C:\Program Files (x86)\Microsoft\Temp\EUB93C.tmp\MicrosoftEdgeUpdate.exe		binary
		MD5:00F783B313796440834D82778F2850E5	SHA256:F4CE25C64DA2142B2CB7D9C5B0F1540D1718E4A5CEF38683634E7BA2636D7D7B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8552	svchost.exe	GET	200	2.16.164.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	2.16.164.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	GET	200	2.16.164.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
—	—	POST	200	20.190.159.71:443	https://login.live.com/RST2.srf	US	binary	11.1 Kb	whitelisted
8552	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	POST	403	23.52.181.212:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	US	binary	386 b	whitelisted
3332	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	POST	200	20.190.159.131:443	https://login.live.com/RST2.srf	US	binary	10.3 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.22:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
8552	svchost.exe	2.16.164.107:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	2.16.164.107:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	2.16.164.107:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
8552	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.bing.com	184.86.251.22 184.86.251.27 184.86.251.9 184.86.251.7 184.86.251.20	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
google.com	142.251.140.174	whitelisted
crl.microsoft.com	2.16.164.107 2.16.164.34 2.16.164.9 2.16.164.89 2.16.164.81 2.16.164.17 2.16.164.106 2.16.164.40 2.16.164.114 2.16.164.128 2.16.164.120 2.16.164.51 2.16.164.73 2.16.164.98	whitelisted
www.microsoft.com	23.52.181.212 88.221.169.152	whitelisted
login.live.com	20.190.159.71 40.126.31.71 20.190.159.131 40.126.31.128 20.190.159.68 20.190.159.2 40.126.31.69 20.190.159.73 40.126.32.133 40.126.32.72 40.126.32.140 20.190.160.67 40.126.32.136 20.190.160.17 40.126.32.76 20.190.160.4	whitelisted
dns.google	8.8.8.8 8.8.4.4	whitelisted
go.microsoft.com	23.52.181.141	whitelisted
slscr.update.microsoft.com	74.178.240.61	whitelisted

PID	Process	Class	Message
2292	svchost.exe	Misc activity	INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
7924	Clash.Verge.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7924	Clash.Verge.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7924	Clash.Verge.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
7924	Clash.Verge.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Salatstealer related domain (salator .es)
7924	Clash.Verge.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2424	spoolsv.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2424	spoolsv.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2424	spoolsv.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2424	spoolsv.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Salatstealer related domain (salator .es)

General Info

Clash_Verge.exe

4BE03E4FEFE07A0B6ECF91554C608B74

968DDD3F2987ADFB06C3DE3593C5DB7A6E16468D

3518B7577B7D346FB65076135D746D059C8BC8C6E50482DC7EFD5EDF598C4D59

196608:U3fySkEdvEaReO1yrtEz/6tf3eYoSQkQaSQfzyf0ComgZWnMySBziIBmNa9sQtk:sdX/RwmzCBuiQkbDO0CgWn4XBAa9dC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALATSTEALER has been detected (SURICATA)

SALATSTEALER mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Application launched itself

The process creates files with name similar to system file names

Starts itself from another location

Starts POWERSHELL.EXE for commands execution

Possible stealing of messenger data

Possible stealing from crypto wallets

Searches for installed software

Gets path to any of the special folders (POWERSHELL)

Starts a Microsoft application from unusual location

Malware-specific behavior (creating "System.dll" in Temp)

Disables SEHOP

Multiple wallet extension IDs have been found

INFO

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Reads the machine GUID from the registry

Process checks computer location settings

Checks supported languages

Reads security settings of Internet Explorer

Creates files in the program directory

Creates files or folders in the user directory

Drops encrypted JS script (Microsoft Script Encoder)

Drops script file

Checks current location (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

There is functionality for taking screenshot (YARA)

Reads Environment values

Application based on Golang

Checks proxy server information

UPX packer has been detected

Found Base64 encoded access to environment variables via PowerShell (YARA)

Detects GO elliptic curve encryption (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information