File name:

RFQ_Order_NB678476_RH2025.com

Full analysis: https://app.any.run/tasks/c9339a23-8c71-426e-8dbd-9b0b2901af9d
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 16:48:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
redline
metastealer
purecrypter
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

DEA6345737332D700577DED23C693A87

SHA1:

73678213F6ECD0FCE19A7C2508157B503CC79D42

SHA256:

635E75F0DBD929BFD1AB929D781C7755CAF502E41AF8F29652C2AC0852C012E7

SSDEEP:

98304:aE1kY415TT8FLBcktUxXoU8mHYLn7z6o1OH0qZ9WbsU7QIKARmvGtd28CSJMNFLC:CT8FLBck+S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PURECRYPTER has been detected (YARA)

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)

    • Create files in the Startup directory

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)

    • Connects to the CnC server

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • REDLINE has been detected (SURICATA)

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • METASTEALER has been detected (SURICATA)

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • Actions looks like stealing of personal data

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • Steals credentials from Web Browsers

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • XWORM has been detected (YARA)

      • XClient.exe (PID: 4620)

    • XWORM has been detected (SURICATA)

      • XClient.exe (PID: 4620)

    • REDLINE has been detected (YARA)

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)
      • XClient.exe (PID: 4620)
      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)

    • Reads security settings of Internet Explorer

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • BlockSizeValue.exe (PID: 6644)

    • Connects to unusual port

      • build.exe (PID: 6516)
      • XClient.exe (PID: 4620)
      • build.exe (PID: 2284)

    • Contacting a server suspected of hosting an CnC

      • XClient.exe (PID: 4620)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 8140)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 8140)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2108)

    • There is functionality for taking screenshot (YARA)

      • build.exe (PID: 6516)
      • build.exe (PID: 2284)

    • Multiple wallet extension IDs have been found

      • build.exe (PID: 2284)

    • Executes application which crashes

      • BlockSizeValue.exe (PID: 6644)

  • INFO

    • Reads the computer name

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)
      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • build.exe (PID: 6516)
      • XClient.exe (PID: 4620)
      • BlockSizeValue.exe (PID: 1188)
      • BlockSizeValue.exe (PID: 6644)
      • build.exe (PID: 2284)

    • Checks supported languages

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)
      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • build.exe (PID: 6516)
      • XClient.exe (PID: 4620)
      • BlockSizeValue.exe (PID: 6644)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7668)
      • BackgroundTransferHost.exe (PID: 2136)
      • BackgroundTransferHost.exe (PID: 7960)
      • BackgroundTransferHost.exe (PID: 5608)
      • BackgroundTransferHost.exe (PID: 8160)

    • Reads the machine GUID from the registry

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)
      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • build.exe (PID: 6516)
      • XClient.exe (PID: 4620)
      • BlockSizeValue.exe (PID: 1188)
      • build.exe (PID: 2284)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 7960)
      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)
      • XClient.exe (PID: 4620)
      • WerFault.exe (PID: 2096)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 7960)
      • slui.exe (PID: 7984)

    • Manual execution by a user

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • wscript.exe (PID: 2108)
      • BlockSizeValue.exe (PID: 6644)

    • Autorun file from Startup directory

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7596)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 7960)
      • slui.exe (PID: 7984)

    • Create files in a temporary directory

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)
      • BlockSizeValue.exe (PID: 6644)

    • Process checks computer location settings

      • RFQ_Order_NB678476_RH2025.com.exe (PID: 7528)

    • Application launched itself

      • firefox.exe (PID: 7948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(6516) build.exe
C2 (1)204.10.161.147:7082
Botnetsuccess
Keys
Xor
Options
ErrorMessage
(PID) Process(2284) build.exe
C2 (1)204.10.161.147:7082
Botnetsuccess
Keys
Xor
Options
ErrorMessage

XWorm

(PID) Process(4620) XClient.exe
C2204.10.161.147:7081
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexXoFHv1TT4hWErxRo
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:22 09:30:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1721344
InitializedDataSize: 178688
UninitializedDataSize: -
EntryPoint: 0x1a631e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Dfihxaguda
FileVersion: 1.0.0.0
InternalName: Dfihxaguda.exe
LegalCopyright: Copyright © 2013
LegalTrademarks: -
OriginalFileName: Dfihxaguda.exe
ProductName: Dfihxaguda
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
18
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #PURECRYPTER rfq_order_nb678476_rh2025.com.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs rfq_order_nb678476_rh2025.com.exe #REDLINE build.exe #XWORM xclient.exe slui.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs wscript.exe no specs blocksizevalue.exe no specs blocksizevalue.exe #REDLINE build.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1188"C:\Users\admin\AppData\Roaming\BlockSizeValue.exe" C:\Users\admin\AppData\Roaming\BlockSizeValue.exewscript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Dfihxaguda
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\blocksizevalue.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2096C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6644 -s 1576C:\Windows\SysWOW64\WerFault.exeBlockSizeValue.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2108"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlockSizeValue.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2136"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
2284"C:\Users\admin\AppData\Local\Temp\build.exe" C:\Users\admin\AppData\Local\Temp\build.exe
BlockSizeValue.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XHP
Exit code:
0
Version:
12.9.1.22
Modules
Images
c:\users\admin\appdata\local\temp\build.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
RedLine
(PID) Process(2284) build.exe
C2 (1)204.10.161.147:7082
Botnetsuccess
Keys
Xor
Options
ErrorMessage
4620"C:\Users\admin\AppData\Local\Temp\XClient.exe" C:\Users\admin\AppData\Local\Temp\XClient.exe
RFQ_Order_NB678476_RH2025.com.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(4620) XClient.exe
C2204.10.161.147:7081
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.6
MutexXoFHv1TT4hWErxRo
5608"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6516"C:\Users\admin\AppData\Local\Temp\build.exe" C:\Users\admin\AppData\Local\Temp\build.exe
RFQ_Order_NB678476_RH2025.com.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XHP
Exit code:
0
Version:
12.9.1.22
Modules
Images
c:\users\admin\appdata\local\temp\build.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(6516) build.exe
C2 (1)204.10.161.147:7082
Botnetsuccess
Keys
Xor
Options
ErrorMessage
6644"C:\Users\admin\AppData\Roaming\BlockSizeValue.exe"C:\Users\admin\AppData\Roaming\BlockSizeValue.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Dfihxaguda
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\blocksizevalue.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
7248"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
15 926
Read events
15 909
Write events
17
Delete events
0

Modification events

(PID) Process:(7668) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7668) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7668) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7960) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7960) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7960) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8160) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8160) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8160) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5608) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
4
Suspicious files
9
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7960BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e6826d6b-2918-4f6f-b759-7974303210f1.down_data
MD5:
SHA256:
2096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BlockSizeValue.e_498b8eed37f8727ceeac72bd189c414c6b9c7_8eed158b_847faedc-c37a-48dc-b8e8-19dfb0944abc\Report.wer
MD5:
SHA256:
2096WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\BlockSizeValue.exe.6644.dmp
MD5:
SHA256:
7960BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e5145979-0e05-4479-9989-6f7aee3b6c6f.42397dbc-234e-413e-8d72-644585a9a5ae.down_metabinary
MD5:7C1FB32B55A4B8271E6A964B1F7EDE06
SHA256:EED2061B835442E5566333212503F96EDD38A3FDC4F8782636F720090BDE78DE
7960BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\e5145979-0e05-4479-9989-6f7aee3b6c6f.up_meta_securebinary
MD5:C58B5DAA0C2BDF282FADF1E616A85DA8
SHA256:09382AC9FA6149A8632FCD5659997975FCD160E324010FBC50F43B7EB10815E3
4620XClient.exeC:\Users\admin\AppData\Roaming\XClient.exeexecutable
MD5:F298510C3C663FE4EE5DFB82EA0F6E7E
SHA256:FF7439A707BF4A2978A263628FA1211B2B2E32636B71B2EFBE21F59C22947850
7528RFQ_Order_NB678476_RH2025.com.exeC:\Users\admin\AppData\Local\Temp\XClient.exeexecutable
MD5:F298510C3C663FE4EE5DFB82EA0F6E7E
SHA256:FF7439A707BF4A2978A263628FA1211B2B2E32636B71B2EFBE21F59C22947850
7596RFQ_Order_NB678476_RH2025.com.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlockSizeValue.vbstext
MD5:0A4AE5463F8AFD98864F2D4DBC1E71CB
SHA256:6981E33C8740BA9BCC751D973E002A6E63A91C905A4ECF9C3D685520267A0348
2096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER57AE.tmp.WERInternalMetadata.xmlbinary
MD5:13549DB8CD481D4C28F20CE960BF6865
SHA256:6862FFDD27130A47383D6276F5A68F0998DD5203D36136967003CDE74B0D296D
7248firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\93u99co2.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs-1.jstext
MD5:E53B45291344F2E8AD9669D85D00F8C4
SHA256:35EC25191E2C0D247944C5B871FD130CC57A9DB70ED6AF66FCCC5B3354FBF922
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
55
DNS requests
17
Threats
55

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5228
SIHClient.exe
GET
200
23.48.23.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5228
SIHClient.exe
GET
200
23.48.23.137:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5228
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5972
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7960
BackgroundTransferHost.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.128
  • 40.126.31.71
  • 20.190.159.0
  • 40.126.31.3
  • 40.126.31.128
  • 40.126.31.2
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
google.com
  • 172.217.18.14
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 23.48.23.137
  • 23.48.23.140
  • 23.48.23.193
  • 23.48.23.194
  • 23.48.23.134
  • 23.48.23.135
  • 23.48.23.188
  • 23.48.23.190
  • 23.48.23.185
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
6516
build.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
6516
build.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
4620
XClient.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
6516
build.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ_Order_NB678476_RH2025.com