File name:	Winsoftzone.exe
Full analysis:	https://app.any.run/tasks/acb6c540-2e5f-4663-8967-b7c23ce56c75
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 13, 2025, 19:30:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer salatstealer golang upx winring0x64-sys vuln-driver xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	7184FD76D2538CDEF50241D6C1B88D8C
SHA1:	0BB181D18E943A99366BF9A9F912276A57BB3426
SHA256:	4C70CF335CFDB2B65302328BEFE611E3879E9ADC959852CF3A78371EC847BF2D
SSDEEP:	98304:F1TKvfhX8cTc0JsuDkwLfxX/p+zmIE44RCWfo3SV1wRfwweCTo9569ZDUGERk+/w:xui8KDUO

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:06:04 20:26:43+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	8539648
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x826d6e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	0.0.0.0
InternalName:	Winsoftzone.exe
LegalCopyright:
OriginalFileName:	Winsoftzone.exe
ProductVersion:	0.0.0.0
AssemblyVersion:	0.0.0.0


(PID) Process:	(5616) 1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1
(PID) Process:	(2188) lhhsgwktkatl.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1

PID	Process	Filename		Type
4860	Winsoftzone.exe	C:\Windows\1.exe		executable
		MD5:BF67D925F546C8EF352F897ABC48EDE0	SHA256:CAC877F1DAF5FBF0F63BA2713000A618153ED499722FEF9A6A13A208C8FB3B0E
7008	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b5k4m3ct.qbu.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4860	Winsoftzone.exe	C:\Windows\9.exe		executable
		MD5:BFC556EADFD5A730822AC148CFE71AA3	SHA256:AD7B06DB9E55E0DD55B895DA93B464AC224C1C1F2117E9FCF8FCCA3F2D29A140
7008	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zbyd04ag.tx0.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6664	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_rvwpr4rl.kze.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6664	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_lcbxrto1.iey.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5616	1.exe	C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe		executable
		MD5:BF67D925F546C8EF352F897ABC48EDE0	SHA256:CAC877F1DAF5FBF0F63BA2713000A618153ED499722FEF9A6A13A208C8FB3B0E
6664	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_cxs31we0.mpj.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4224	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rcp1t1kz.5pq.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6664	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_rosuiq2p.kes.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	—	104.21.64.1:443	https://pidorasina.ru/sa1at/	unknown	—	—	—
—	—	GET	—	104.21.16.1:443	https://pidorasina.ru/sa1at/	unknown	—	—	—
—	—	POST	—	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	whitelisted
—	—	POST	—	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	whitelisted
—	—	GET	—	104.21.80.1:443	https://pidorasina.ru/sa1at/	unknown	—	—	—
—	—	GET	—	104.21.112.1:443	https://pidorasina.ru/sa1at/	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1488	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5896	9.exe	1.1.1.1:443	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6024	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5896	9.exe	8.8.4.4:443	dns.google	—	—	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
dns.google	8.8.4.4 8.8.8.8	whitelisted
posholnahuy.ru	46.41.16.168	malicious
pidorasina.ru	104.21.64.1 104.21.32.1 104.21.48.1 104.21.96.1 104.21.80.1 104.21.112.1 104.21.16.1	unknown
eu-de02.miningrigrentals.com	165.227.153.169	whitelisted
mucintuanl.temp.swtest.ru	—	unknown
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
self.events.data.microsoft.com	20.42.73.24	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Potentially Bad Traffic	ET TA_ABUSED_SERVICES Commonly Abused Domain Service Domain in DNS Lookup (temp .swtest .ru)
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent

General Info

Winsoftzone.exe

7184FD76D2538CDEF50241D6C1B88D8C

0BB181D18E943A99366BF9A9F912276A57BB3426

4C70CF335CFDB2B65302328BEFE611E3879E9ADC959852CF3A78371EC847BF2D

98304:F1TKvfhX8cTc0JsuDkwLfxX/p+zmIE44RCWfo3SV1wRfwweCTo9569ZDUGERk+/w:xui8KDUO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALATSTEALER has been detected (YARA)

Changes Windows Defender settings

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Vulnerable driver has been detected

XMRIG has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Executable content was dropped or overwritten

Multiple wallet extension IDs have been found

Manipulates environment variables

Script adds exclusion path to Windows Defender

Script adds exclusion extension to Windows Defender

There is functionality for taking screenshot (YARA)

Stops a currently running service

Starts CMD.EXE for commands execution

Uses powercfg.exe to modify the power settings

Process uninstalls Windows update

Starts SC.EXE for service management

Windows service management via SC.EXE

Creates a new Windows service

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Connects to unusual port

Uses NSLOOKUP.EXE to check DNS info

INFO

Process checks computer location settings

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Application based on Golang

Reads the software policy settings

The sample compiled with english language support

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

UPX packer has been detected

Detects GO elliptic curve encryption (YARA)

Creates files in the program directory

Checks proxy server information

The sample compiled with japanese language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules