File name:

35e36bc22394d7bedd94e88eb9e1ca7c.exe

Full analysis: https://app.any.run/tasks/d2068a79-617b-4ea6-b505-4d45f399bdb7
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 18:24:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
redline
netreactor
lefthook
metastealer
teapotstealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

35E36BC22394D7BEDD94E88EB9E1CA7C

SHA1:

B6A90D979E1C1DE5B3154E565E4404B7E2C99794

SHA256:

1814C3FDCBFA0B77749550DD1C4365BE2907EFBDB02ED8F677052C77CBA2F46F

SSDEEP:

24576:iZ9enanQtbhhhm37CpcZP29Di4adyLUJIeqCtbo3Zi1ejHmN7RN6NuTuQx1vBUJR:iZ9enanQtbhhhm37CpcZP29Di4adyLU+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (SURICATA)

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • TEAPOT has been detected

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Actions looks like stealing of personal data

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • REDLINE has been detected (YARA)

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Steals credentials from Web Browsers

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Stealers network behavior

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • METASTEALER has been detected (SURICATA)

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • LEFTHOOK has been detected (SURICATA)

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

  • SUSPICIOUS

    • Application launched itself

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 4300)

    • Connects to unusual port

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Contacting a server suspected of hosting an CnC

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Multiple wallet extension IDs have been found

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

  • INFO

    • Reads the computer name

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 4300)
      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Checks supported languages

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 4300)
      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Reads the machine GUID from the registry

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 4300)
      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • .NET Reactor protector has been detected

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 4300)

    • Disables trace logs

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)

    • Checks proxy server information

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)
      • slui.exe (PID: 4464)

    • Reads the software policy settings

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)
      • slui.exe (PID: 4464)

    • Create files in a temporary directory

      • 35e36bc22394d7bedd94e88eb9e1ca7c.exe (PID: 5588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exe
C2 (1)185.222.57.92:55615
Botnetcheat
Keys
Xor
Options
ErrorMessage
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:11:14 01:06:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 541696
InitializedDataSize: 7168
UninitializedDataSize: -
EntryPoint: 0x862e2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: 先进人工智能平台,提供深度学习、自然语言处理、计算机视觉和知识推理等核心功能
CompanyName: 云梦数智
FileDescription: 灵智·星辰
FileVersion: 0.0.0.0
InternalName: scLQ.exe
LegalCopyright: 云梦数智 © 壬寅年至乙巳年 (2022-2025)
LegalTrademarks: 灵智™ · 星辰系列 · 第五代
OriginalFileName: scLQ.exe
ProductName: 灵智·星辰
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 35e36bc22394d7bedd94e88eb9e1ca7c.exe no specs #REDLINE 35e36bc22394d7bedd94e88eb9e1ca7c.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe35e36bc22394d7bedd94e88eb9e1ca7c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4300"C:\Users\admin\Desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exe" C:\Users\admin\Desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exeexplorer.exe
User:
admin
Company:
云梦数智
Integrity Level:
MEDIUM
Description:
灵智·星辰
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4464C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5588"C:\Users\admin\Desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exe"C:\Users\admin\Desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exe
35e36bc22394d7bedd94e88eb9e1ca7c.exe
User:
admin
Company:
云梦数智
Integrity Level:
MEDIUM
Description:
灵智·星辰
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\35e36bc22394d7bedd94e88eb9e1ca7c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exe
C2 (1)185.222.57.92:55615
Botnetcheat
Keys
Xor
Options
ErrorMessage
Total events
8 627
Read events
8 613
Write events
14
Delete events
0

Modification events

(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5588) 35e36bc22394d7bedd94e88eb9e1ca7c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\35e36bc22394d7bedd94e88eb9e1ca7c_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
37
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp372C.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp3770.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp36FB.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp37D8.tmpbinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp374F.tmpsqlite
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp3760.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp373E.tmpbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp37A6.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp3771.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
558835e36bc22394d7bedd94e88eb9e1ca7c.exeC:\Users\admin\AppData\Local\Temp\tmp3793.tmpbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
54
DNS requests
19
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2432
RUXIMICS.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
POST
200
185.222.57.92:55615
http://185.222.57.92:55615/
unknown
unknown
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
POST
200
185.222.57.92:55615
http://185.222.57.92:55615/
unknown
unknown
2432
RUXIMICS.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6668
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6668
SIHClient.exe
GET
200
23.48.23.181:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6668
SIHClient.exe
GET
200
23.48.23.181:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6668
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2432
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2432
RUXIMICS.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2432
RUXIMICS.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.192
  • 23.48.23.139
  • 23.48.23.185
  • 23.48.23.145
  • 23.48.23.143
  • 23.48.23.138
  • 23.48.23.190
  • 23.48.23.181
  • 23.48.23.166
  • 23.48.23.174
  • 23.48.23.175
  • 23.48.23.173
  • 23.48.23.184
  • 23.48.23.189
  • 23.48.23.188
  • 23.48.23.182
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.128
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.65
  • 20.190.160.14
  • 20.190.160.67
  • 20.190.160.3
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
api.ip.sb
  • 172.67.75.172
  • 104.26.13.31
  • 104.26.12.31
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
Malware Command and Control Activity Detected
ET MALWARE RedLine Stealer - CheckConnect Response
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
A Network Trojan was detected
AV TROJAN RedLine Stealer Config Download
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
5588
35e36bc22394d7bedd94e88eb9e1ca7c.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
35e36bc22394d7bedd94e88eb9e1ca7c.exe