File name:	Potassium.exe
Full analysis:	https://app.any.run/tasks/f6c53b2e-eed1-4a05-8176-8184c17d0247
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 19, 2026, 11:48:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac evasion anti-evasion auto-reg stealer skuld screenshot generic crypto-regex upx susp-powershell golang ip-check
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 4 sections
MD5:	5523F5BE8C91C83A5D22941A56FD1AEE
SHA1:	5279260D2671690BA6CCA6C178E6407FDD22671D
SHA256:	8E498E961D7880F15553AC9B761BA9AFB9B887150590C87556C3A8F92B00C3DE
SSDEEP:	98304:vguFniM88l/JOV/8nxVRX63gECgkQQGNfA7HNhfY+SXwtgnVavUcWZHrjmaoxeMn:y35nluN

.exe	\|	UPX compressed Win32 Executable (87.1)
.exe	\|	Generic Win/DOS Executable (6.4)
.exe	\|	DOS Executable Generic (6.4)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	3444736
InitializedDataSize:	3527168
UninitializedDataSize:	7888896
EntryPoint:	0xacf1e0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(8060) Potassium.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(7088) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7088) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7088) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7088) fodhelper.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8060) Potassium.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete value	Name:	DelegateExecute
Value:
(PID) Process:	(7772) Potassium.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr
Operation:	write	Name:	EnableCounterForIoctl
Value: 1
(PID) Process:	(7772) Potassium.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Realtek HD Audio Universal Service
Value: C:\Users\admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
(PID) Process:	(6948) SecurityHealthSystray.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6948) SecurityHealthSystray.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete value	Name:	DelegateExecute
Value:

PID	Process	Filename		Type
7772	Potassium.exe	C:\Users\admin\AppData\Local\Temp\commonfiles-temp\admin\authorityold.png		binary
		MD5:AD11202A3D47DC4A2D3940387ADA880A	SHA256:9B97CE9B55E2EA1B55C6FC9DACA8C90CCD7B907EB431D833A75089A04AEABFD2
7772	Potassium.exe	C:\Users\admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe		executable
		MD5:5523F5BE8C91C83A5D22941A56FD1AEE	SHA256:8E498E961D7880F15553AC9B761BA9AFB9B887150590C87556C3A8F92B00C3DE
7772	Potassium.exe	C:\Users\admin\AppData\Local\Temp\browsers.zip		binary
		MD5:8C16FD6B5F381CECC3D3CFC9FC45E366	SHA256:21C3B30456E6058F939E1E4DFF081353B835C48CE145C4CBD25D4F6A7B472373
7772	Potassium.exe	C:\Users\admin\AppData\Local\Temp\commonfiles.zip		binary
		MD5:C69F76E87B7A47201636F21AA8C453D6	SHA256:9B1D2531AB3C54CD05605C1FDA855CEDD40EB87B910FC6F913022C7285BDA845
7764	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tfqxwe4u.wmf.ps1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7772	Potassium.exe	C:\Users\admin\AppData\Local\Temp\browsers-temp\admin\Firefox\9kie7cg6.default-release\logins.txt		binary
		MD5:3ABC2B9ECCDC1C9E0199A80659C0090F	SHA256:8ED25C40A8274013F5EC722DE7B1306751426F04FD138944FE2DBD083AD802DA
7772	Potassium.exe	C:\Users\admin\AppData\Local\Temp\browsers-temp\admin\Chrome\Default\cookies.txt		binary
		MD5:FD4D39FE316347DE6E94DD9E83F0265A	SHA256:FED1778AAE8DC01846880F2E8242D7CECED0824AF6A8AA295C9508FEA6DD616C
7764	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_abe5vpeu.rvb.ps1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8176	powershell.exe	C:\Users\admin\AppData\Local\Temp\hiqzykro\hiqzykro.0.cs		binary
		MD5:C76055A0388B713A1EABE16130684DC3	SHA256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
8176	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0mxtnk23.2y2.psm1		binary
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7004	svchost.exe	GET	200	23.216.77.13:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
356	svchost.exe	POST	200	20.190.159.64:443	https://login.live.com/RST2.srf	unknown	—	11.1 Kb	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.216.77.13:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8568	RUXIMICS.exe	GET	200	23.216.77.13:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7004	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8568	RUXIMICS.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6348	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.128:443	https://login.live.com/RST2.srf	unknown	binary	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7004	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8568	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8568	RUXIMICS.exe	23.216.77.13:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7004	svchost.exe	23.216.77.13:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	23.216.77.13:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
7004	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 4.231.128.59	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
google.com	192.178.203.101 192.178.203.100 192.178.203.139 192.178.203.138 192.178.203.102 192.178.203.113	whitelisted
crl.microsoft.com	23.216.77.13 23.216.77.42 23.216.77.41 23.216.77.25 23.216.77.18 23.216.77.20 23.216.77.28 23.216.77.19 23.216.77.6	whitelisted
www.microsoft.com	23.59.18.102 88.221.169.152	whitelisted
login.live.com	40.126.31.73 40.126.31.2 40.126.31.129 40.126.31.71 40.126.31.0 40.126.31.131 40.126.31.3 20.190.159.64	whitelisted
api.ipify.org	172.67.74.152 104.26.12.205 104.26.13.205	whitelisted
ip-api.com	208.95.112.1	whitelisted
api.gofile.io	45.112.123.126 51.159.107.119 51.75.242.210	whitelisted
paste-dark-type-project.trycloudflare.com	—	unknown

PID	Process	Class	Message
2292	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7772	Potassium.exe	Misc activity	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
—	—	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
2292	svchost.exe	Misc activity	INFO [ANY.RUN] External IP Check (ip-api .com)
2292	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7772	Potassium.exe	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
7772	Potassium.exe	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent

Process	Message
Potassium.exe	h
Potassium.exe	%
Potassium.exe	h
Potassium.exe	%
Potassium.exe	h
Potassium.exe	%
Potassium.exe	h
Potassium.exe	%
Potassium.exe	h
Potassium.exe	%

General Info

Potassium.exe

5523F5BE8C91C83A5D22941A56FD1AEE

5279260D2671690BA6CCA6C178E6407FDD22671D

8E498E961D7880F15553AC9B761BA9AFB9B887150590C87556C3A8F92B00C3DE

98304:vguFniM88l/JOV/8nxVRX63gECgkQQGNfA7HNhfY+SXwtgnVavUcWZHrjmaoxeMn:y35nluN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass User Account Control (Modify registry)

Bypass User Account Control (fodhelper)

Changes the autorun value in the registry

Steals credentials from Web Browsers

Changes Windows Defender settings

Adds path to the Windows Defender exclusion list

Actions looks like stealing of personal data

SKULD has been detected

Changes powershell execution policy (Bypass)

Changes settings for checking scripts for malicious actions

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for real-time protection

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

SKULD has been detected (YARA)

Changes settings for protection against network attacks (IPS)

Changes Controlled Folder Access settings

Steals Discord credentials and data (YARA)

SUSPICIOUS

Changes default file association

Creates or modifies Windows services

Starts CMD.EXE for commands execution

Delegate execute modification

Executable content was dropped or overwritten

Uses ATTRIB.EXE to modify file attributes

Accesses video controller name via WMI (SCRIPT)

Uses WMIC.EXE to obtain Windows Installer data

Accesses product unique identifier via WMI (SCRIPT)

Read disk information to detect sandboxing environments

Uses WMIC.EXE to obtain a list of video controllers

Checks for external IP

Script adds exclusion path to Windows Defender

Possible stealing from crypto wallets

Starts POWERSHELL.EXE for commands execution

Uses WMIC.EXE to obtain operating system information

Possible stealing of email data

Uses WMIC.EXE to obtain CPU information

The process bypasses the loading of PowerShell profile settings

Uses NETSH.EXE to obtain data on the network

Accesses operating system name via WMI (SCRIPT)

BASE64 encoded PowerShell command has been detected

Bypass execution policy to execute commands

Possible stealing of messenger data

CSC.EXE is used to compile C# code

Captures screenshot (POWERSHELL)

Base64-obfuscated command line is found

Script disables Windows Defender's IPS

Script disables Windows Defender's real-time protection

Modifies hosts file to alter network resolution

There is functionality for capture public ip (YARA)

Found regular expressions for crypto-addresses (YARA)

Multiple wallet extension IDs have been found

INFO

Drops script file

Reads the computer name

Reads security settings of Internet Explorer

Checks supported languages

Drops encrypted JS script (Microsoft Script Encoder)

Launching a file from a Registry key

Creates files or folders in the user directory

Reads the machine GUID from the registry

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Manual execution by a user

There is functionality for taking screenshot (YARA)

Application based on Golang

Detects GO elliptic curve encryption (YARA)