File name:

x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe

Full analysis: https://app.any.run/tasks/10da681d-3dfb-4661-80ea-ea11333d7d9b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 07, 2026, 01:49:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
salatstealer
susp-powershell
upx
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

7815CDF8B795609D5BD3C2AF1DECF032

SHA1:

F54F2ED18B1A2FAA777997411AC2BB95112CF4BF

SHA256:

52D4D16A5110B036AB825AC9822EFFAF12BBCE3313F97F44114B011DEAFFFFC4

SSDEEP:

98304:HPCmlfcyodmdFL372gQ2bbju2oFwvUdWak0PDzFpYpussRIHYOmDToyUZSCJr/:hj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALATSTEALER has been detected (YARA)

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

  • SUSPICIOUS

    • Executes application which crashes

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Multiple wallet extension IDs have been found

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

  • INFO

    • Checks supported languages

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1536)

    • There is functionality for taking screenshot (YARA)

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Detects GO elliptic curve encryption (YARA)

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • UPX packer has been detected

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)

    • Application based on Golang

      • x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe (PID: 5616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.3)
.exe | Win32 Executable MS Visual C++ (generic) (26.3)
.exe | UPX compressed Win32 Executable (22.8)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 3596288
InitializedDataSize: 4096
UninitializedDataSize: 9334784
EntryPoint: 0x79370
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALATSTEALER x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1536C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5616 -s 224C:\Windows\SysWOW64\WerFault.exe
x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5616"C:\Users\admin\Desktop\x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe" C:\Users\admin\Desktop\x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
9 344
Read events
9 343
Write events
1
Delete events
0

Modification events

(PID) Process:(6988) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x52d4d16a5110b03_9861995031281eb92655f5b3bac169917d5db5_8c2a890d_f5e33345-d4c1-4f56-b40f-d926126be7f0\Report.wer
MD5:
SHA256:
1536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF3E.tmp.dmpbinary
MD5:98BA49DDE54C2E3FA3DC49D7EF4CD9CB
SHA256:904980061AEBAAA668D5C4EEFBE18FCC72B761075D906A37C1798AB6671C75F9
1536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF8D.tmp.WERInternalMetadata.xmlxml
MD5:FF137F42D86632A56F2DE54A3C2985B4
SHA256:918BFBE52E2832F47DF8C12057F25B2318215D4D4301D507EA090F67CA4B98FE
1536WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe.5616.dmpbinary
MD5:C75EF888A3778FB2F306C43B8BA420DB
SHA256:619FBB5E10932031EBF7604B6507B53524B7197B524AE378A0CDE45AC36437D9
1536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERFBD.tmp.xmlxml
MD5:B4A3B50E70D7775E25D296869BA9914B
SHA256:E8EE664E8CE10FC2A4D52F71312B57970EAD39C4B600EE20BBC3CBD2FDF04140
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
23
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3448
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6988
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
6988
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7988
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.27:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3448
svchost.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3448
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3448
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 184.86.251.27
  • 184.86.251.22
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.251.20.102
  • 142.251.20.101
  • 142.251.20.100
  • 142.251.20.139
  • 142.251.20.138
  • 142.251.20.113
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
watson.events.data.microsoft.com
  • 135.234.160.246
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x52d4d16a5110b036ab825ac9822effaf12bbce3313f97f44114b011deaffffc4.exe