File name:

3-1.png

Full analysis: https://app.any.run/tasks/bfaac4ea-ff50-4ebd-8024-72bc6f51b79e
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: July 01, 2024, 09:13:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
redline
metastealer
Indicators:
MIME: image/png
File info: PNG image data, 480 x 388, 8-bit/color RGBA, non-interlaced
MD5:

FE68C172ED8825D3256A13E8CE7CB447

SHA1:

DA1DAAF49994A4BDCB6B2488CD41336768A5CDB1

SHA256:

06B17E45416B913E640B781540E805E97791EBBAC313C2435FE489CE338B6C8F

SSDEEP:

6144:ze0lFzw4Xw4WAMD5grEsYUZZraFB7V3urAmM:ze0Pzw4UDqrkUZZkT+rAmM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 4684)
      • findstr.exe (PID: 2872)
      • findstr.exe (PID: 8)
      • findstr.exe (PID: 380)
      • findstr.exe (PID: 4268)
      • findstr.exe (PID: 5076)
      • findstr.exe (PID: 6516)
      • findstr.exe (PID: 6892)

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 5576)
      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)

    • Connects to the CnC server

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

    • REDLINE has been detected (SURICATA)

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 2212)
      • RegAsm.exe (PID: 476)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

    • METASTEALER has been detected (SURICATA)

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 2212)
      • RegAsm.exe (PID: 476)

    • REDLINE has been detected (YARA)

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 2212)
      • RegAsm.exe (PID: 476)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6236)
      • SolaraBoostrapper.exe (PID: 4044)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 3836)
      • SolaraBoostrapper.exe (PID: 7112)

    • Application launched itself

      • WinRAR.exe (PID: 6236)
      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)

    • Get information on the list of running processes

      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5576)
      • SolaraBoostrapper.exe (PID: 4044)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 3836)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)
      • SolaraBoostrapper.exe (PID: 7112)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 5576)

    • The executable file from the user directory is run by the CMD process

      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)
      • Husband.pif (PID: 6324)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 5576)
      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)

    • Executing commands from ".cmd" file

      • SolaraBoostrapper.exe (PID: 4044)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)
      • SolaraBoostrapper.exe (PID: 4180)

    • Suspicious file concatenation

      • cmd.exe (PID: 6576)
      • cmd.exe (PID: 3188)
      • cmd.exe (PID: 1888)

    • Process drops legitimate windows executable

      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 5380)
      • cmd.exe (PID: 6872)

    • The process creates files with name similar to system file names

      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 2212)
      • RegAsm.exe (PID: 476)

    • Reads the date of Windows installation

      • SolaraBoostrapper.exe (PID: 4044)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)

    • Searches for installed software

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

    • Connects to unusual port

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

  • INFO

    • Manual execution by a user

      • Taskmgr.exe (PID: 6988)
      • firefox.exe (PID: 6120)
      • WinRAR.exe (PID: 6236)
      • Taskmgr.exe (PID: 7056)
      • SolaraBoostrapper.exe (PID: 4044)
      • RegAsm.exe (PID: 3556)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)
      • Taskmgr.exe (PID: 2052)
      • Taskmgr.exe (PID: 4532)

    • The process uses the downloaded file

      • firefox.exe (PID: 4172)
      • WinRAR.exe (PID: 6236)

    • Application launched itself

      • firefox.exe (PID: 4172)
      • firefox.exe (PID: 6120)

    • Checks supported languages

      • TextInputHost.exe (PID: 5732)
      • SolaraBoostrapper.exe (PID: 4044)
      • Husband.pif (PID: 5040)
      • RegAsm.exe (PID: 3556)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)
      • Husband.pif (PID: 3844)
      • Husband.pif (PID: 6324)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 4172)

    • Create files in a temporary directory

      • SolaraBoostrapper.exe (PID: 4044)
      • Husband.pif (PID: 5040)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)
      • Husband.pif (PID: 3844)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1304)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1304)

    • Reads the computer name

      • SolaraBoostrapper.exe (PID: 4044)
      • Husband.pif (PID: 5040)
      • TextInputHost.exe (PID: 5732)
      • RegAsm.exe (PID: 3556)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)
      • Husband.pif (PID: 3844)
      • Husband.pif (PID: 6324)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)

    • Process checks computer location settings

      • SolaraBoostrapper.exe (PID: 4044)
      • SolaraBoostrapper.exe (PID: 4180)
      • SolaraBoostrapper.exe (PID: 7112)
      • SolaraBoostrapper.exe (PID: 3836)

    • Reads mouse settings

      • Husband.pif (PID: 5040)
      • Husband.pif (PID: 3844)
      • Husband.pif (PID: 6324)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 7056)
      • Taskmgr.exe (PID: 4532)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 2212)
      • RegAsm.exe (PID: 476)

    • Reads Environment values

      • RegAsm.exe (PID: 3556)
      • RegAsm.exe (PID: 476)
      • RegAsm.exe (PID: 2212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(3556) RegAsm.exe
C2 (1)185.196.9.26:6302
Botnet@dxrkl0rd
Options
ErrorMessage
Keys
XorBackbit
(PID) Process(2212) RegAsm.exe
C2 (1)185.196.9.26:6302
Botnet@dxrkl0rd
Options
ErrorMessage
Keys
XorBackbit
(PID) Process(476) RegAsm.exe
C2 (1)185.196.9.26:6302
Botnet@dxrkl0rd
Options
ErrorMessage
Keys
XorBackbit
No Malware configuration.

TRiD

.png | Portable Network Graphics (100)

EXIF

PNG

ImageWidth: 480
ImageHeight: 388
BitDepth: 8
ColorType: RGB with Alpha
Compression: Deflate/Inflate
Filter: Adaptive
Interlace: Noninterlaced
SRGBRendering: Relative Colorimetric
PixelsPerUnitX: 2835
PixelsPerUnitY: 2835
PixelUnits: meters

Composite

ImageSize: 480x388
Megapixels: 0.186
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
72
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs taskmgr.exe no specs taskmgr.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe no specs winrar.exe solaraboostrapper.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs husband.pif timeout.exe no specs #REDLINE regasm.exe solaraboostrapper.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs solaraboostrapper.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs solaraboostrapper.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs husband.pif timeout.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs husband.pif no specs timeout.exe no specs #REDLINE regasm.exe #REDLINE regasm.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
8findstr /I "wrsa.exe opssvc.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
368"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6768 -childID 7 -isForBrowser -prefsHandle 6688 -prefMapHandle 6692 -prefsLen 32024 -prefMapSize 244343 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13451b10-5a06-40b1-a176-23cbfb6b74db} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 1e81a92a4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
380findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
476C:\Users\admin\AppData\Local\Temp\313841\RegAsm.exe C:\Users\admin\AppData\Local\Temp\313841\RegAsm.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\local\temp\313841\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(476) RegAsm.exe
C2 (1)185.196.9.26:6302
Botnet@dxrkl0rd
Options
ErrorMessage
Keys
XorBackbit
752"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eecf31ef-3817-47d6-a694-b032982656a8} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 1e814e5b150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1048tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1060"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7324 -parentBuildID 20240213221259 -sandboxingKind 1 -prefsHandle 7316 -prefMapHandle 6868 -prefsLen 37395 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {215b9691-482f-4d42-96c9-8dec0d6cb6cd} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 1e8176e9310 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1304"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa6236.12728\SolaraV.rarC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1776timeout 5C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1832"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20240213221259 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd6c1a35-e508-48be-a1b0-0898295f36b1} 4172 "\\.\pipe\gecko-crash-server-pipe.4172" 1e802c80710 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
51 383
Read events
51 214
Write events
148
Delete events
21

Modification events

(PID) Process:(2628) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000033000000A00400007502000000000000
(PID) Process:(6120) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
DA29A67C01000000
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
5DD9A67C01000000
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:delete valueName:installer.taskbarpin.win10.enabled
Value:
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(4172) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
Executable files
4
Suspicious files
438
Text files
42
Unknown types
153

Dropped files

PID
Process
Filename
Type
4172firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpdbf
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:119E618BB17D11BD2DEA923F51474CD9
SHA256:159F3B695BD49A1273726A8FC58F7AEDCDAC706F2F295A62EEF447A73A724990
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:833D7C9D0EED17766D3E402B6655B100
SHA256:697E4159EC2F433016E10EC80B31D8ADDC90A85A7C304029514A2BD56647C477
4172firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:841E43059E944B0514DD9CD8B3AEF798
SHA256:F47E1F559AE107FB65FB2F1C33F4883464F6CE2610042F718CDDB3E96FA8D123
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
229
DNS requests
213
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2672
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2672
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4172
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
876
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4172
firefox.exe
POST
200
184.24.77.45:80
http://r10.o.lencr.org/
unknown
unknown
4172
firefox.exe
POST
200
184.24.77.45:80
http://r10.o.lencr.org/
unknown
unknown
3624
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
2672
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3508
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2044
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2672
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2672
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3040
OfficeClickToRun.exe
20.42.65.89:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3040
OfficeClickToRun.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4656
SearchApp.exe
92.123.104.52:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.52
  • 92.123.104.46
  • 92.123.104.54
  • 92.123.104.56
  • 92.123.104.43
  • 92.123.104.53
  • 92.123.104.50
  • 92.123.104.51
  • 92.123.104.44
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.133
  • 20.190.160.17
whitelisted
r.bing.com
  • 92.123.104.50
  • 92.123.104.46
  • 92.123.104.43
  • 92.123.104.53
  • 92.123.104.44
  • 92.123.104.51
  • 92.123.104.52
  • 92.123.104.56
  • 92.123.104.54
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2168
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2168
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
2168
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3556
RegAsm.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
3556
RegAsm.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
3556
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
3556
RegAsm.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
3556
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
3556
RegAsm.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3-1.png