File name:	PowershellScanner.exe
Full analysis:	https://app.any.run/tasks/3d06efce-07e1-49d5-82b9-5509c2993214
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 19, 2026, 12:59:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	salatstealer stealer ms-smartcard websocket upx susp-powershell golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	E5BFE61B3096B12066D3FADDBCDE3AE1
SHA1:	718E9AC2E69AA83BE2AB2E976FDBE8AF453ADF20
SHA256:	8AD32967BE1F50324F23225E6FA232F3B9646F55581EE217D7BE577FD8A56270
SSDEEP:	384:VoOsTdWRBt2/Qx/xSYyI6HXsLvSYghXBapWUPpU0+:mBT8RBtrxSz8T/4UhU

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:03:09 17:40:38+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	10240
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0x28b8
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(4524) PowershellScanner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4524) PowershellScanner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4524) PowershellScanner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4524) PowershellScanner.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5448) PowershellScanner.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\Users
Value: 0
(PID) Process:	(5448) PowershellScanner.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
Operation:	write	Name:	C:\Program Files (x86)\Microsoft\Edge
Value: 0
(PID) Process:	(7176) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
7160	PowershellScanner1.exe	C:\Users\admin\AppData\Local\D3DSCache\e231aaeb-f0b8-df15-181d-5ae5c168ebf0		—
		MD5:—	SHA256:—
7160	PowershellScanner1.exe	C:\Program Files (x86)\Windows Photo Viewer\e231aaeb-f0b8-df15-181d-5ae5c168ebf0		—
		MD5:—	SHA256:—
6112	WmiPrvSE.exe	C:\Users\admin\AppData\Local\Temp\e231aaeb-f0b8-df15-181d-5ae5c168ebf0		—
		MD5:—	SHA256:—
6112	WmiPrvSE.exe	C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe		text
		MD5:0BB2A45F4D689B6FED17675C47C6CB0A	SHA256:DAEBD2FAF31E2E16F99E00D76348A6FE006A50955A933B73F47D56D065F9F8FF
6112	WmiPrvSE.exe	C:\Program Files (x86)\Microsoft\Edge\Application\WmiPrvSE.exe		text
		MD5:0BB2A45F4D689B6FED17675C47C6CB0A	SHA256:DAEBD2FAF31E2E16F99E00D76348A6FE006A50955A933B73F47D56D065F9F8FF
8084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hxzqbuzi.5r3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbmiseyp.s14.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vofdiwcs.w5y.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tpydcgks.pg0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5448	PowershellScanner.exe	C:\Users\admin\AppData\Roaming\PowershellScanner1.exe		text
		MD5:0BB2A45F4D689B6FED17675C47C6CB0A	SHA256:DAEBD2FAF31E2E16F99E00D76348A6FE006A50955A933B73F47D56D065F9F8FF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
—	—	POST	504	48.192.1.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	—	—	whitelisted
7176	slui.exe	POST	504	128.24.231.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	html	160 b	whitelisted
—	—	GET	101	104.21.66.193:443	https://dchat.ukde.workers.dev/parties/chat/main?key=0Wwi70hBV0HcYK8EO	US	—	—	—
—	—	GET	101	104.21.66.193:443	https://dchat.ukde.workers.dev/parties/chat/main?key=0Wwi70hBV0HcYK8EO	US	—	—	—
—	—	GET	101	172.67.163.233:443	https://dchat.ukde.workers.dev/parties/chat/main?key=0Wwi70hBV0HcYK8EO	US	—	—	—
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	US	binary	409 b	whitelisted
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	401 b	whitelisted
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	US	binary	419 b	whitelisted
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	US	binary	400 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6212	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7740	slui.exe	128.24.231.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6212	svchost.exe	2.16.164.120:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
5448	PowershellScanner.exe	45.130.41.157:443	nocheat.icu	BEGET-AS	RU	unknown
6212	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6212	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	128.24.231.65	whitelisted
google.com	172.217.168.78	whitelisted
nocheat.icu	45.130.41.157	unknown
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
dns.google	8.8.4.4 8.8.8.8	whitelisted
dchat.ukde.workers.dev	104.21.66.193 172.67.163.233	unknown
self.events.data.microsoft.com	13.69.239.79	whitelisted

PID	Process	Class	Message
2232	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .icu Domain
5448	PowershellScanner.exe	Potentially Bad Traffic	ET INFO Suspicious Domain (*.icu) in TLS SNI
6212	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	Misc activity	ET HUNTING Possible EXE Download From Suspicious TLD
—	—	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header
—	—	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download
2232	svchost.exe	Misc activity	INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
5448	PowershellScanner.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
5448	PowershellScanner.exe	A Network Trojan was detected	ET HUNTING Suspicious Fake Windows User-Agent in HTTP Header

General Info

PowershellScanner.exe

E5BFE61B3096B12066D3FADDBCDE3AE1

718E9AC2E69AA83BE2AB2E976FDBE8AF453ADF20

8AD32967BE1F50324F23225E6FA232F3B9646F55581EE217D7BE577FD8A56270

384:VoOsTdWRBt2/Qx/xSYyI6HXsLvSYghXBapWUPpU0+:mBT8RBtrxSz8T/4UhU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALATSTEALER mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Reads the date of Windows installation

Application launched itself

The process creates files with name similar to system file names

Starts itself from another location

Starts POWERSHELL.EXE for commands execution

Possible stealing of messenger data

Possible stealing from crypto wallets

Multiple wallet extension IDs have been found

Gets path to any of the special folders (POWERSHELL)

INFO

Reads the computer name

Checks supported languages

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Create files in a temporary directory

Drops encrypted JS script (Microsoft Script Encoder)

UPX packer has been detected

Application based on Golang

Found Base64 encoded access to environment variables via PowerShell (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Detects GO elliptic curve encryption (YARA)

There is functionality for taking screenshot (YARA)

Checks current location (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests