File name:

xyuna.exe

Full analysis: https://app.any.run/tasks/ee97dbba-8f0c-41ee-8fde-3513e29de97a
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 16, 2026, 18:19:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
salatstealer
stealer
susp-powershell
upx
wmi-base64
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 9 sections
MD5:

41BE92EE39B9C445FBEE0E309C19FF87

SHA1:

CE14FAAAEB85A299ABB60755C3CDD4521FFED765

SHA256:

DB3F8FA11FE12F68899831188CAD598F0551303ED669CBB8F056276E60E18AF1

SSDEEP:

98304:Jhe2gsVJX9ulhf/coDwZ7jVMC4a8etODhTgEJ01r7DPERUJP8gsVSYeUSqKSiKjl:Jb5VHqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • xyuna.exe (PID: 8596)
      • xyuna.exe (PID: 9204)

    • SALATSTEALER has been detected (YARA)

      • xyuna.exe (PID: 9204)

    • SALATSTEALER mutex has been found

      • xyuna.exe (PID: 9204)

    • SALATSTEALER has been detected (SURICATA)

      • xyuna.exe (PID: 9204)

  • SUSPICIOUS

    • Multiple wallet extension IDs have been found

      • xyuna.exe (PID: 9204)

    • Application launched itself

      • xyuna.exe (PID: 8596)

  • INFO

    • Reads the computer name

      • xyuna.exe (PID: 8596)
      • xyuna.exe (PID: 9204)

    • Creates files in the program directory

      • xyuna.exe (PID: 8596)

    • Checks supported languages

      • xyuna.exe (PID: 8596)
      • xyuna.exe (PID: 9204)

    • Application based on Golang

      • xyuna.exe (PID: 9204)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • xyuna.exe (PID: 9204)

    • There is functionality for taking screenshot (YARA)

      • xyuna.exe (PID: 9204)

    • Found Base64 encoded reference to WMI classes (YARA)

      • xyuna.exe (PID: 9204)

    • Detects GO elliptic curve encryption (YARA)

      • xyuna.exe (PID: 9204)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • xyuna.exe (PID: 9204)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • xyuna.exe (PID: 9204)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3132)
      • xyuna.exe (PID: 8596)

    • Checks proxy server information

      • slui.exe (PID: 2016)

    • UPX packer has been detected

      • xyuna.exe (PID: 9204)

    • Found Base64 encoded file access via PowerShell (YARA)

      • xyuna.exe (PID: 9204)

    • Manual execution by a user

      • notepad.exe (PID: 3132)

    • Process checks computer location settings

      • xyuna.exe (PID: 8596)

    • Reads the machine GUID from the registry

      • xyuna.exe (PID: 9204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:02:16 10:50:52+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.46
CodeSize: 299520
InitializedDataSize: 3672576
UninitializedDataSize: 512
EntryPoint: 0x1450
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xyuna.exe no specs #SALATSTEALER xyuna.exe notepad.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2016C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3132"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
8596"C:\Users\admin\AppData\Local\Temp\xyuna.exe" C:\Users\admin\AppData\Local\Temp\xyuna.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\xyuna.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
9204"C:\Users\admin\AppData\Local\Temp\xyuna.exe" C:\Users\admin\AppData\Local\Temp\xyuna.exe
xyuna.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\xyuna.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
5 121
Read events
5 121
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
8596xyuna.exeC:\ProgramData\loader_ffffd033.logtext
MD5:D46C254725038FD589C967E2377BBD3F
SHA256:1CD4B064D85C352540562A37C6DE321893BE1BC5372432AD6367339FB69C7885
9204xyuna.exeC:\loader_ffffd033.logtext
MD5:D46C254725038FD589C967E2377BBD3F
SHA256:1CD4B064D85C352540562A37C6DE321893BE1BC5372432AD6367339FB69C7885
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
59
DNS requests
25
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3208
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
8228
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8228
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8228
SIHClient.exe
GET
200
135.233.95.144:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8228
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3208
svchost.exe
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.70 Kb
whitelisted
3208
svchost.exe
GET
200
23.48.23.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
356
svchost.exe
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
US
xml
10.3 Kb
whitelisted
356
svchost.exe
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3208
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
7428
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
9204
xyuna.exe
8.8.4.4:443
dns.google
GOOGLE
US
whitelisted
9204
xyuna.exe
1.1.1.1:443
CLOUDFLARENET
US
whitelisted
3208
svchost.exe
23.48.23.32:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
3412
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
self.events.data.microsoft.com
  • 52.182.143.211
  • 13.89.179.14
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
crl.microsoft.com
  • 23.48.23.32
  • 23.48.23.29
  • 23.48.23.38
  • 23.48.23.11
  • 23.48.23.51
  • 23.48.23.45
  • 23.48.23.10
  • 23.48.23.30
  • 2.16.164.106
  • 2.16.164.24
  • 2.16.164.32
  • 2.16.164.72
  • 2.16.164.99
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.5
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
cloudflare-dns.com
  • 104.16.248.249
  • 104.16.249.249
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
9204
xyuna.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
3208
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
9204
xyuna.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Salatstealer JA3 hash observed
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
9204
xyuna.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
9204
xyuna.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)
2292
svchost.exe
A Network Trojan was detected
ET MALWARE Observed DNS Query to Salat Stealer Domain (salat .cn)
9204
xyuna.exe
A Network Trojan was detected
ET MALWARE Observed Salat Stealer Domain (salat .cn in TLS SNI)
9204
xyuna.exe
A Network Trojan was detected
ET MALWARE Observed Salat Stealer Domain (salat .cn in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xyuna.exe