File name:	xc8bb7729cae4594fd38caec32e3ee6f2e07b14fae18b748209d04e9f85c047b7.exe
Full analysis:	https://app.any.run/tasks/1416306c-54c3-4ac5-a2e1-d0c160f00e21
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 19, 2026, 10:46:24
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	susp-powershell stealer salatstealer upx golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	4FA5A74D74E4E3A9D2466F5218E6268B
SHA1:	4073D7559451E214D7AD4EDFE18A6F3BAA6AC995
SHA256:	C8BB7729CAE4594FD38CAEC32E3EE6F2E07B14FAE18B748209D04E9F85C047B7
SSDEEP:	98304:MZWC/Kr6V201GVfbl3Ttyil6QyogRFgeUjTcYOtjWoybZSCzr7:B4

.exe	\|	InstallShield setup (36.3)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.3)
.exe	\|	UPX compressed Win32 Executable (22.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.5)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	3588096
InitializedDataSize:	4096
UninitializedDataSize:	9334784
EntryPoint:	0x79370
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(7448) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing

PID	Process	Filename		Type
2164	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xc8bb7729cae4594_5bfdcaa4937fecceae43fac4b36515cfae9467c_89c0797c_3b925632-e646-4859-8ff1-d3555d4dbdb3\Report.wer		—
		MD5:—	SHA256:—
2164	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA.tmp.xml		xml
		MD5:375444F7CF4D86B412BFEAAB9F2FD57D	SHA256:C32C6AE8AB50060CB5BA1189E62B6CB1666A3424ABF427D9788DBBE02C8BBB2D
2164	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A.tmp.dmp		binary
		MD5:A8EED3536192BE9ABEA6541C048EBAEC	SHA256:FA509278728F47672C952104A58E7AEB115F1292B7AEF3421DED0917752CFCDD
2164	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD89.tmp.WERInternalMetadata.xml		xml
		MD5:3C52B1A2DB0FB9C661F65E5D2ABD79D1	SHA256:0BD46896D64525F876DB68E19E27AEF2867F589E5280844DBAD56E8AB4DB356C
2164	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\xc8bb7729cae4594fd38caec32e3ee6f2e07b14fae18b748209d04e9f85c047b7.exe.7608.dmp		binary
		MD5:2AE2BFDF0E730F5CA5C091F6C3715D34	SHA256:F16B26A6777A4AA4CCD5CC0847C0A9FEA5B8510E48D1254DDE8DB2822485A3B6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6628	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
6628	SIHClient.exe	GET	200	20.165.94.54:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	US	—	—	whitelisted
6628	SIHClient.exe	GET	200	20.165.94.63:443	https://slscr.update.microsoft.com/sls/ping	US	—	—	whitelisted
6628	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
5276	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
6076	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6628	SIHClient.exe	GET	304	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
7448	slui.exe	POST	500	128.24.231.65:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	text	512 b	whitelisted
—	—	GET	200	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	—
6628	SIHClient.exe	GET	200	20.165.94.63:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	compressed	29.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	128.24.231.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
6076	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6076	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6076	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7448	slui.exe	128.24.231.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5208	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	128.24.231.65	whitelisted
google.com	142.251.37.14	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6 23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	88.221.169.152 23.52.181.212	whitelisted
watson.events.data.microsoft.com	135.233.45.223	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	20.165.94.54	whitelisted
self.events.data.microsoft.com	13.89.179.11	whitelisted

General Info

xc8bb7729cae4594fd38caec32e3ee6f2e07b14fae18b748209d04e9f85c047b7.exe

4FA5A74D74E4E3A9D2466F5218E6268B

4073D7559451E214D7AD4EDFE18A6F3BAA6AC995

C8BB7729CAE4594FD38CAEC32E3EE6F2E07B14FAE18B748209D04E9F85C047B7

98304:MZWC/Kr6V201GVfbl3Ttyil6QyogRFgeUjTcYOtjWoybZSCzr7:B4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SALATSTEALER has been detected (YARA)

SUSPICIOUS

Multiple wallet extension IDs have been found

INFO

Creates files or folders in the user directory

Checks supported languages

Detects GO elliptic curve encryption (YARA)

UPX packer has been detected

Application based on Golang

There is functionality for taking screenshot (YARA)

Found Base64 encoded access to environment variables via PowerShell (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings