File name:

Potassium.exe

Full analysis: https://app.any.run/tasks/45093681-bc4b-4e52-b1ab-b78eedb12ae1
Verdict: Malicious activity
Analysis date: December 24, 2025, 22:25:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
iqvw64-sys
vuln-driver
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 9 sections
MD5:

393C49B577C977D49089F91F9C496639

SHA1:

AF11AB5B54E75C460FC77F11A1867A344207EF24

SHA256:

834FBEE58DE7A56A20B95098A25EE941B6CFA8F184A7FC5BBCCCD72E78FD5D54

SSDEEP:

98304:9bjZR9k2aX7XtK6sM6tHTtD8PRtQRcZdZsPxdjhusOL0ZGcwSo98g6s6EMj8EW7P:F9CXbC9GIfUDE5cjr+EPgjxm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Vulnerable driver has been detected

      • Potassium.exe (PID: 7724)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Potassium.exe (PID: 7724)

    • Creates or modifies Windows services

      • Potassium.exe (PID: 7724)

    • Executes application which crashes

      • Potassium.exe (PID: 7724)

  • INFO

    • Checks supported languages

      • Potassium.exe (PID: 7724)

    • The sample compiled with english language support

      • Potassium.exe (PID: 7724)

    • Create files in a temporary directory

      • Potassium.exe (PID: 7724)

    • Checks proxy server information

      • WerFault.exe (PID: 8164)
      • slui.exe (PID: 6300)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 8164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:12:18 19:55:16+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.44
CodeSize: 206848
InitializedDataSize: 148480
UninitializedDataSize: -
EntryPoint: 0x147f77e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT potassium.exe conhost.exe no specs werfault.exe updater.exe no specs updater.exe no specs slui.exe potassium.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x139c460,0x139c46c,0x139c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7428"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7568"C:\Users\admin\Desktop\Potassium.exe" C:\Users\admin\Desktop\Potassium.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\potassium.exe
c:\windows\system32\ntdll.dll
7724"C:\Users\admin\Desktop\Potassium.exe" C:\Users\admin\Desktop\Potassium.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221226505
Modules
Images
c:\users\admin\desktop\potassium.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePotassium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8164C:\WINDOWS\system32\WerFault.exe -u -p 7724 -s 276C:\Windows\System32\WerFault.exe
Potassium.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
10 298
Read events
10 289
Write events
5
Delete events
4

Modification events

(PID) Process:(7724) Potassium.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mqaeGzNKScLjlFEEzQcpbf
Operation:writeName:ImagePath
Value:
\??\C:\Users\admin\AppData\Local\Temp\mqaeGzNKScLjlFEEzQcpbf
(PID) Process:(7724) Potassium.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mqaeGzNKScLjlFEEzQcpbf
Operation:writeName:Type
Value:
1
(PID) Process:(7724) Potassium.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mqaeGzNKScLjlFEEzQcpbf
Operation:delete keyName:(default)
Value:
(PID) Process:(8164) WerFault.exeKey:\REGISTRY\A\{451277a8-5276-79ad-cfe2-a56cc6d18b1c}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(8164) WerFault.exeKey:\REGISTRY\A\{451277a8-5276-79ad-cfe2-a56cc6d18b1c}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
8164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Potassium.exe_36168376abcefc8d2686cfd4b263b8d7cea4a2d_ca24de15_e98788db-3af2-4b31-90fa-feebaf7dc787\Report.wer
MD5:
SHA256:
2508updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:124F174BE7557C17A3FA1BAD289E2BF8
SHA256:771E9450F55C1DE12F18A28F86724417D9EDE0175484D2A668FB63420FAFC3AC
8164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER745.tmp.dmpbinary
MD5:738665EB9BAA7B990EFAB7D1C2E595F4
SHA256:A5036E244FB60D2111356F7DAF40E8D6AC31958DD092247BB8BEE514F9601835
8164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7A5.tmp.xmlxml
MD5:F34C52859AABD6CB4D10573075AE81FF
SHA256:DE2219631ABEA162BC78ABF42D55987DD7B1D4122F254868BA74D23FD7B30F47
7724Potassium.exeC:\Users\admin\AppData\Local\Temp\mqaeGzNKScLjlFEEzQcpbfexecutable
MD5:1898CEDA3247213C084F43637EF163B3
SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
8164WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Potassium.exe.7724.dmpbinary
MD5:542E41F644B3EA8D63C435424AE6238C
SHA256:501144EAC531C0B4A268973DF1ADD5EFA19D8CF1CE4A34E7267C178E169D2C88
8164WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:547124DC337E38F430E29263A9BE364F
SHA256:1C409D6998C890C3E6541EE7FD9416A514F2FF67F9BAC73F8279BC289949ECCD
8164WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER785.tmp.WERInternalMetadata.xmlxml
MD5:5C69BEA0282B5F68C38373C359F9BEEF
SHA256:15878A165F86F43BF9E7B3A3189785D2AD5CBD4B7DCD28B0E3865F96F4D617A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2688
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6392
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2688
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6392
RUXIMICS.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6488
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
6300
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2688
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6392
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2688
svchost.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6392
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2688
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
watson.events.data.microsoft.com
  • 135.233.45.221
whitelisted
self.events.data.microsoft.com
  • 40.79.150.121
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Potassium.exe