File name:

spectredex.exe

Full analysis: https://app.any.run/tasks/e7970127-30db-4acd-bcd5-45c67a709f4c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 17, 2026, 14:12:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
susp-powershell
upx
golang
ms-smartcard
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

134AF254F1D789994755114CA745FFB4

SHA1:

6C324DB4BF573682FC23A0F1C10ADCA76DAF60EE

SHA256:

C344BD7E453F7A95D5064861D61550D3054FC4D833F6B3D400E4D9471860B01F

SSDEEP:

98304:b6vd8KHD6VGJAy2zax0JsduLqQthDI3MiOVb4rk4R08qInlvtz8DXy5S+bOn3UZc:WpF4e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALATSTEALER mutex has been found

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • SALATSTEALER has been detected (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Steals credentials from Web Browsers

      • upfc.exe (PID: 752)

    • Actions looks like stealing of personal data

      • upfc.exe (PID: 752)

    • UAC/LUA settings modification

      • powershell.exe (PID: 7416)

  • SUSPICIOUS

    • Application launched itself

      • spectredex.exe (PID: 7604)

    • Reads security settings of Internet Explorer

      • spectredex.exe (PID: 7604)

    • There is functionality for taking screenshot (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Multiple wallet extension IDs have been found

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • The process creates files with name similar to system file names

      • spectredex.exe (PID: 7792)

    • Starts itself from another location

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Executable content was dropped or overwritten

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Possible stealing of messenger data

      • upfc.exe (PID: 752)

    • Starts POWERSHELL.EXE for commands execution

      • upfc.exe (PID: 752)

    • Possible stealing from crypto wallets

      • upfc.exe (PID: 752)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 7416)

  • INFO

    • Checks supported languages

      • spectredex.exe (PID: 7604)
      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)
      • upfc.exe (PID: 748)
      • upfc.exe (PID: 7508)

    • Reads the machine GUID from the registry

      • spectredex.exe (PID: 7792)
      • spectredex.exe (PID: 7604)
      • upfc.exe (PID: 752)
      • upfc.exe (PID: 7508)
      • upfc.exe (PID: 748)

    • Reads the computer name

      • spectredex.exe (PID: 7792)
      • spectredex.exe (PID: 7604)
      • upfc.exe (PID: 752)
      • upfc.exe (PID: 7508)
      • upfc.exe (PID: 748)

    • Process checks computer location settings

      • spectredex.exe (PID: 7604)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Application based on Golang

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Found Base64 encoded file access via PowerShell (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Detects GO elliptic curve encryption (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • UPX packer has been detected

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • spectredex.exe (PID: 7792)
      • upfc.exe (PID: 752)

    • Creates files or folders in the user directory

      • spectredex.exe (PID: 7792)

    • Drops script file

      • upfc.exe (PID: 752)
      • powershell.exe (PID: 7416)

    • Create files in a temporary directory

      • upfc.exe (PID: 752)

    • Creates files in the program directory

      • upfc.exe (PID: 752)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7416)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • upfc.exe (PID: 752)

    • Disables trace logs

      • powershell.exe (PID: 7416)

    • Checks proxy server information

      • powershell.exe (PID: 7416)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 3293184
InitializedDataSize: 4096
UninitializedDataSize: 8806400
EntryPoint: 0xb89960
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start spectredex.exe no specs #SALATSTEALER spectredex.exe #SALATSTEALER upfc.exe powershell.exe conhost.exe no specs upfc.exe no specs upfc.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exe" -C:\Program Files (x86)\Microsoft\Edge\Application\upfc.exeupfc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\microsoft\edge\application\upfc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
752C:\Users\admin\AppData\Local\Mozilla\upfc.exeC:\Users\admin\AppData\Local\Mozilla\upfc.exe
spectredex.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\mozilla\upfc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7416powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
upfc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7508"C:\Program Files\Google\Chrome\Application\upfc.exe" -C:\Program Files\Google\Chrome\Application\upfc.exeupfc.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\google\chrome\application\upfc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7604"C:\Users\admin\AppData\Local\Temp\spectredex.exe" C:\Users\admin\AppData\Local\Temp\spectredex.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\spectredex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
7792"C:\Users\admin\AppData\Local\Temp\spectredex.exe" C:\Users\admin\AppData\Local\Temp\spectredex.exe
spectredex.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\spectredex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
8064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 913
Read events
8 898
Write events
15
Delete events
0

Modification events

(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7416) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
4
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fars24ay.00v.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4va2au41.zgk.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7792spectredex.exeC:\Users\admin\AppData\Local\Mozilla\upfc.exeexecutable
MD5:134AF254F1D789994755114CA745FFB4
SHA256:C344BD7E453F7A95D5064861D61550D3054FC4D833F6B3D400E4D9471860B01F
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j52orcz2.dru.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ttzjl0sh.rxe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
752upfc.exeC:\Program Files\Google\Chrome\Application\upfc.exeexecutable
MD5:134AF254F1D789994755114CA745FFB4
SHA256:C344BD7E453F7A95D5064861D61550D3054FC4D833F6B3D400E4D9471860B01F
752upfc.exeC:\Program Files (x86)\Microsoft\Edge\Application\upfc.exeexecutable
MD5:134AF254F1D789994755114CA745FFB4
SHA256:C344BD7E453F7A95D5064861D61550D3054FC4D833F6B3D400E4D9471860B01F
7792spectredex.exeC:\Users\admin\AppData\Local\Packages\ShellExperienceHost.exeexecutable
MD5:134AF254F1D789994755114CA745FFB4
SHA256:C344BD7E453F7A95D5064861D61550D3054FC4D833F6B3D400E4D9471860B01F
7416powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactivebinary
MD5:B4C0EAC1CB826388F9109A9FD884DF28
SHA256:90155CCB1ECD1CCD4A4F3D39BB48361C321F0AF3D38F34B0F82A30C2019981F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
53
DNS requests
21
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
2220
svchost.exe
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
2220
svchost.exe
POST
200
40.126.31.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
7216
SIHClient.exe
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
7216
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
7216
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
1156
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1156
svchost.exe
GET
200
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
unknown
text
5.58 Kb
whitelisted
2220
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1156
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3464
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7792
spectredex.exe
8.8.4.4:443
dns.google
GOOGLE
US
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2220
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7792
spectredex.exe
1.1.1.1:443
CLOUDFLARENET
US
whitelisted
2220
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.130
  • 20.190.159.68
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
cloudflare-dns.com
  • 104.16.248.249
  • 104.16.249.249
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
7792
spectredex.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7792
spectredex.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
7792
spectredex.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
7792
spectredex.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
752
upfc.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
752
upfc.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spectredex.exe