General Info

URL

https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true

Full analysis
https://app.any.run/tasks/4186113b-c55e-4fd1-94fc-0985344dcddf
Verdict
Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date
14/01/2022, 21:20:20
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

njrat

bladabindi

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • hostr.exe (PID: 1820)
  • hostr.exe (PID: 3132)
  • hostr.exe (PID: 2200)
  • hostr.exe (PID: 3280)
Drops executable file immediately after starts
  • hostr.exe (PID: 3132)
  • hostr.exe (PID: 3280)
Writes to a start menu file
  • hostr.exe (PID: 3280)
NJRAT was detected
  • hostr.exe (PID: 3280)
Changes the autorun value in the registry
  • hostr.exe (PID: 3280)
Checks supported languages
  • hostr.exe (PID: 1820)
  • WinRAR.exe (PID: 4028)
  • hostr.exe (PID: 3132)
  • hostr.exe (PID: 2200)
  • hostr.exe (PID: 3280)
Reads the computer name
  • hostr.exe (PID: 1820)
  • WinRAR.exe (PID: 4028)
  • hostr.exe (PID: 3132)
  • hostr.exe (PID: 2200)
  • hostr.exe (PID: 3280)
Application launched itself
  • hostr.exe (PID: 1820)
  • hostr.exe (PID: 2200)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 4028)
  • hostr.exe (PID: 3132)
  • hostr.exe (PID: 3280)
Starts itself from another location
  • hostr.exe (PID: 3132)
Creates files in the user directory
  • hostr.exe (PID: 3280)
Reads Environment values
  • netsh.exe (PID: 3608)
  • hostr.exe (PID: 3280)
Uses NETSH.EXE for network configuration
  • hostr.exe (PID: 3280)
Reads the computer name
  • firefox.exe (PID: 2080)
  • firefox.exe (PID: 2724)
  • firefox.exe (PID: 3328)
  • firefox.exe (PID: 2980)
  • firefox.exe (PID: 308)
  • firefox.exe (PID: 3096)
  • firefox.exe (PID: 3324)
  • netsh.exe (PID: 3608)
  • msconfig.exe (PID: 976)
Application launched itself
  • firefox.exe (PID: 2080)
  • firefox.exe (PID: 3660)
Checks supported languages
  • firefox.exe (PID: 3660)
  • firefox.exe (PID: 2080)
  • firefox.exe (PID: 3096)
  • firefox.exe (PID: 2980)
  • firefox.exe (PID: 308)
  • firefox.exe (PID: 3328)
  • firefox.exe (PID: 2724)
  • firefox.exe (PID: 3324)
  • netsh.exe (PID: 3608)
  • msconfig.exe (PID: 976)
Reads CPU info
  • firefox.exe (PID: 2080)
Checks Windows Trust Settings
  • firefox.exe (PID: 2080)
Reads the date of Windows installation
  • firefox.exe (PID: 2080)
Creates files in the program directory
  • firefox.exe (PID: 2080)
Creates files in the user directory
  • firefox.exe (PID: 2080)
Manual execution by user
  • hostr.exe (PID: 1820)
  • WinRAR.exe (PID: 4028)
  • msconfig.exe (PID: 976)
  • msconfig.exe (PID: 2916)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
56
Monitored processes
16
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe hostr.exe no specs hostr.exe hostr.exe no specs #NJRAT hostr.exe netsh.exe no specs msconfig.exe no specs msconfig.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3660
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true"
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\version.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\apphelp.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\usp10.dll

PID
2080
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
Parent process
firefox.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\imm32.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\kbdus.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\dwrite.dll
c:\program files\mozilla firefox\firefox.exe
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\profapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\avrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\winmm.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\version.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wtsapi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wsock32.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winsta.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wpc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\mscms.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\netutils.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\audioses.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\program files\mozilla firefox\nssckbi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\duser.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dui70.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\wshext.dll
c:\windows\system32\windowscodecs.dll
c:\program files\winrar\winrar.exe
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\imageres.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscui.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\slc.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sxs.dll
c:\windows\system32\shdocvw.dll
c:\program files\internet explorer\ieproxy.dll

PID
2724
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.1345385875\778016606" -parentBuildID 20201112153044 -prefsHandle 1132 -prefMapHandle 1120 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1220 gpu
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\iphlpapi.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\avrt.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dwmapi.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\shlwapi.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\user32.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\usp10.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wtsapi32.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\evr.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mf.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\atl.dll
c:\windows\system32\mfplat.dll

PID
3096
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.6.1970295046\1512721138" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2892 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\lpk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshtcpip.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\user32.dll
c:\windows\system32\avrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwrite.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\dxgi.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\clbcatq.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\wpc.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll

PID
308
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.13.1311578479\543549496" -childID 2 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3164 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\wevtapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpc.dll
c:\windows\system32\samcli.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wshtcpip.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\pnrpnsp.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\winrnr.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wship6.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\dwrite.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dxgi.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\avrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\program files\mozilla firefox\freebl3.dll
c:\program files\mozilla firefox\softokn3.dll

PID
2980
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.20.1706066929\226551640" -childID 3 -isForBrowser -prefsHandle 3644 -prefMapHandle 3144 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3628 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\user32.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\wintrust.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\napinsp.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\avrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\wtsapi32.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\dwmapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\samlib.dll
c:\program files\mozilla firefox\softokn3.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wpc.dll
c:\windows\system32\netutils.dll
c:\program files\mozilla firefox\freebl3.dll

PID
3328
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.27.1448391918\507484362" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3888 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\windows\system32\winrnr.dll
c:\windows\system32\profapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\devobj.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\program files\mozilla firefox\xul.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\ntmarta.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\avrt.dll
c:\windows\system32\crypt32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\iphlpapi.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\firefox.exe
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dxgi.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dwmapi.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\winnsi.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\d3d11.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\shell32.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ole32.dll

PID
3324
CMD
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.28.1906240146\987921710" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3760 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3924 tab
Path
C:\Program Files\Mozilla Firefox\firefox.exe
Indicators
No indicators
Parent process
firefox.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
83.0
Modules
Image
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\msasn1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\windows\system32\winmm.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\dnsapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\xul.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\wship6.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshqos.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\d3dcompiler_47.dll
c:\windows\system32\wshtcpip.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\mozilla firefox\lgpllibs.dll
c:\windows\system32\avrt.dll
c:\windows\system32\devobj.dll
c:\windows\system32\winrnr.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\pnrpnsp.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\iphlpapi.dll

PID
4028
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Trojan.Bladabindi.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\imageres.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\user32.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\duser.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\dui70.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cscui.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\slc.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\secur32.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\netutils.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\drprov.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\samlib.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll

PID
1820
CMD
"C:\Users\admin\Desktop\hostr.exe"
Path
C:\Users\admin\Desktop\hostr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\users\admin\desktop\hostr.exe
c:\windows\system32\kernelbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rsaenh.dll

PID
3132
CMD
C:\Users\admin\Desktop\hostr.exe
Path
C:\Users\admin\Desktop\hostr.exe
Indicators
Parent process
hostr.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\desktop\hostr.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\devobj.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\userenv.dll
c:\windows\system32\propsys.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\usp10.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\users\admin\appdata\local\temp\hostr.exe
c:\windows\system32\shlwapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll

PID
2200
CMD
"C:\Users\admin\AppData\Local\Temp\hostr.exe"
Path
C:\Users\admin\AppData\Local\Temp\hostr.exe
Indicators
No indicators
Parent process
hostr.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gdi32.dll
c:\users\admin\appdata\local\temp\hostr.exe
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\advapi32.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\system32\rpcrtremote.dll

PID
3280
CMD
C:\Users\admin\AppData\Local\Temp\hostr.exe
Path
C:\Users\admin\AppData\Local\Temp\hostr.exe
Indicators
Parent process
hostr.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\advapi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shlwapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\users\admin\appdata\local\temp\hostr.exe
c:\windows\system32\ntdll.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernel32.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\94fe1557aab4bc059482da7d99e97641\system.configuration.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\992b101b45c1e2e5563fee65ab5fd691\system.xml.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\psapi.dll

PID
3608
CMD
netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\hostr.exe" "hostr.exe" ENABLE
Path
C:\Windows\system32\netsh.exe
Indicators
No indicators
Parent process
hostr.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\gdi32.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\userenv.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\netsh.exe
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\webio.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\p2p.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\nci.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\rasman.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netutils.dll
c:\windows\system32\polstore.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\netshell.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\atl.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\credui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\wdi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\onex.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qagent.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcryptprimitives.dll

PID
2916
CMD
"C:\Windows\system32\msconfig.exe"
Path
C:\Windows\system32\msconfig.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
System Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\msconfig.exe

PID
976
CMD
"C:\Windows\system32\msconfig.exe"
Path
C:\Windows\system32\msconfig.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
20
Version:
Company
Microsoft Corporation
Description
System Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ole32.dll
c:\windows\system32\svchost.exe
c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\alg.exe
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msconfig.exe
c:\windows\system32\odbc32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_state.exe
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbcint.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\windows\system32\lsass.exe
c:\windows\ehome\ehsched.exe
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\windows\system32\fxssvc.exe
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\servicing\trustedinstaller.exe
c:\windows\system32\bcrypt.dll
c:\windows\system32\dllhost.exe
c:\program files\google\chrome\application\86.0.4240.198\elevation_service.exe
c:\windows\system32\ieetwcollector.exe
c:\program files\common files\microsoft shared\ime14\shared\imedictupdate.exe
c:\windows\system32\msiexec.exe
c:\windows\ehome\ehrecvr.exe
c:\program files\mozilla maintenance service\maintenanceservice.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\wbengine.exe
c:\windows\system32\ui0detect.exe
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\msxml3.dll
c:\windows\system32\locator.exe
c:\program files\windows media player\wmpnetwk.exe
c:\windows\system32\searchindexer.exe
c:\program files\common files\microsoft shared\source engine\ose.exe
c:\windows\system32\snmptrap.exe
c:\windows\system32\vds.exe
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
c:\windows\system32\clbcatq.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\program files\common files\java\java update\jusched.exe
c:\program files\ccleaner\ccleaner.exe
c:\program files\microsoft office\office14\onenotem.exe
c:\users\admin\appdata\local\temp\hostr.exe

Registry activity

Total events
13061
Read events
0
Write events
429
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3660
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
0FF8672150000000
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Browser
4801682150000000
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
C:\Program Files\Mozilla Firefox\firefox.exe
0
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|ServicesSettingsServer
https://firefox.settings.services.mozilla.com/v1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|DisableTelemetry
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash
97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent
0
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
0
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2080
firefox.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2080
firefox.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\WinRAR\WinRAR.exe
WinRAR archiver
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
ED7F10908C09D801
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
ED7F10908C09D801
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
2080
firefox.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
2
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Trojan.Bladabindi.zip
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
4028
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000700101000000000016000000640000000000000003000000
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCD000000500000008D04000045020000
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000840101000000000039000000B40200000000000001000000
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000008601010000000000160000002A0000000000000002000000
4028
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3132
hostr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3132
hostr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3132
hostr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3132
hostr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3280
hostr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ec83b2d446200dcd0392570446c898a3
"C:\Users\admin\AppData\Local\Temp\hostr.exe" ..
3280
hostr.exe
write
HKEY_CURRENT_USER\Environment
SEE_MASK_NOZONECHECKS
1
3280
hostr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ec83b2d446200dcd0392570446c898a3
"C:\Users\admin\AppData\Local\Temp\hostr.exe" ..
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
3608
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.

Files activity

Executable files
3
Suspicious files
116
Text files
32
Unknown types
23

Dropped files

PID
Process
Filename
Type
3132
hostr.exe
C:\Users\admin\AppData\Local\Temp\hostr.exe
executable
MD5: 5a559b6d223c79f3736dc52794636cfd
SHA256: 6f201afc797370ac6e33fafec41a794a2eb44c1bfd7d9079e3633ebe7bbb41e1
3280
hostr.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec83b2d446200dcd0392570446c898a3.exe
executable
MD5: 5a559b6d223c79f3736dc52794636cfd
SHA256: 6f201afc797370ac6e33fafec41a794a2eb44c1bfd7d9079e3633ebe7bbb41e1
4028
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb4028.39453\hostr.exe
executable
MD5: 5a559b6d223c79f3736dc52794636cfd
SHA256: 6f201afc797370ac6e33fafec41a794a2eb44c1bfd7d9079e3633ebe7bbb41e1
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
binary
MD5: 1713f849c5ee70939bdadb991d5afaed
SHA256: ebc525cfa700ae70d7a8abd318586ce4de44cbeec75ba22ca4d397b0917026ea
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\aborted-session-ping.tmp
text
MD5: 1cb155bedfe3c297ea15458872d96309
SHA256: 8924798d03df0b27e8fe129b80415da3eb3f6d8b0f6dfd0e182be763987040ef
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642195253397.2ac39c04-5d92-4b0d-b3cb-4a89878a07e4.event.jsonlz4
jsonlz4
MD5: d6985890f38763c8e38da5d3cd156031
SHA256: 71627c4c192fbfd8eaed7e1b1e1fb18888f427103aac041fe364cbce0c9651a9
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.tmp
binary
MD5: 894946fb627fad244144116c5d0b0a21
SHA256: 1ff304ea76499c755ce43797c60aff402ca0eb08ab4ff5facb4f997372a152e6
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json
binary
MD5: 894946fb627fad244144116c5d0b0a21
SHA256: 1ff304ea76499c755ce43797c60aff402ca0eb08ab4ff5facb4f997372a152e6
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
binary
MD5: 45f63abe90e7d7cd8211a1d5a6fe4ebc
SHA256: 969db14beb4042c3d32ab25b3f0a09b11423e022d4e28c8b09ba5c5a348bdf53
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\startupCache.4.little
binary
MD5: 995d7ab7bac1ae9c341a19d496effdb0
SHA256: 55fc4fdb781c69530cd14ccd64d3ec31575749c1a89d86387ce5e68d9d9f0f39
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642195253398.a284136f-4358-4941-b64e-322c16fe09ad.main.jsonlz4
jsonlz4
MD5: 3e57628fa9f93d9d739f6f6995a12819
SHA256: 9d3da4ad717c07402f00023a562c1e55c0351cf3d2fde9556ed4a9f6b911c88b
3280
hostr.exe
C:\Users\admin\AppData\Local\Temp\hostr.exe.tmp
text
MD5: 2269d9cc92c226b60e6a53bc5ca30622
SHA256: 985ec64269613666211ab26ddea1bb5680b04fa1452aa9ead69f2a1db9352c7e
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
sqlite
MD5: b89b9cf4583dd38694c353e044cb4229
SHA256: 476d1f4756f4070fc96771f7ee6e5ee634fa98bbdf43917bdf130b2b4c66993a
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite
sqlite
MD5: 9d59088535fe44eac384b55bcef917a1
SHA256: 1d516e763ec39ec67eaa4ab37d2c6a567b2a011883df5634048a0cc4d6c8d229
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
binary
MD5: b86e5845f68ffbb75c92014bff348e84
SHA256: 1f7829e809ea08e440ca31ac18680bb60a5778bbb6ebe32c72570f114baa8217
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.tmp
binary
MD5: b35a798338c2335edf7bc42654562094
SHA256: 14c0a45c4ddae9f8247f60dbeca09b2fd7a9e516e7b6a1d10ec90fc475fe4bbb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642195253398.a284136f-4358-4941-b64e-322c16fe09ad.main.jsonlz4.tmp
jsonlz4
MD5: 3e57628fa9f93d9d739f6f6995a12819
SHA256: 9d3da4ad717c07402f00023a562c1e55c0351cf3d2fde9556ed4a9f6b911c88b
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2022-01\1642195253397.2ac39c04-5d92-4b0d-b3cb-4a89878a07e4.event.jsonlz4.tmp
jsonlz4
MD5: d6985890f38763c8e38da5d3cd156031
SHA256: 71627c4c192fbfd8eaed7e1b1e1fb18888f427103aac041fe364cbce0c9651a9
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-wal
sqlite-wal
MD5: d4d9bfb21be9db093dadeacbfd4d25b3
SHA256: 7629d7613b493923440659365a3fc0b4eaf6ce910e2f19fe55a3238a7704477b
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\aborted-session-ping
text
MD5: 1cb155bedfe3c297ea15458872d96309
SHA256: 8924798d03df0b27e8fe129b80415da3eb3f6d8b0f6dfd0e182be763987040ef
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
binary
MD5: b35a798338c2335edf7bc42654562094
SHA256: 14c0a45c4ddae9f8247f60dbeca09b2fd7a9e516e7b6a1d10ec90fc475fe4bbb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-shm
binary
MD5: 312e53ee3c5327db2596a39e88de016d
SHA256: c8b77683c9313f25d7a8db8bf0edaeed945edb4d319921a941659ac8cce4dd44
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
binary
MD5: 948a7403e323297c6bb8a5c791b42866
SHA256: 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite
sqlite
MD5: ab6932ff3cd41882d7d1f3933a7bfe4d
SHA256: fad412d51d25447605a54611f2cd2b3c3dd4ac188f6f3da8533f496ac8717fb9
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json
binary
MD5: 948a7403e323297c6bb8a5c791b42866
SHA256: 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4
jsonlz4
MD5: c44892d72dc15ec668c685ca26f94ce0
SHA256: 39bf4289b23c1c08b9477a0f99a7d3847eb3126764dedf48f1b4cfd773991463
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt
text
MD5: a5a5da69756d2eaf84941186829da4b7
SHA256: 6d0f7fbec383d3106412d34ddcddc3c0054c1e3f2f89a3d05671e349d78d67a5
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset
binary
MD5: 86b1acdbf1fc7201d0eb7c85ee75f5af
SHA256: a0f4c83316cd66525f663cd72a2dc8bd1b2aa2e40d599b8b6f334d61c5d03098
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset
binary
MD5: 35d8fd43d868d7bba7041362eb8101b3
SHA256: 104c2467e4f7bc7cac0ce0e456d5abd8c192c2c8c44f7c9a38412a59abdd1772
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal
sqlite-wal
MD5: 6a8ccb381d5e0ef566d2f273d0a46be5
SHA256: 04b3a9d9d2caca6407c7624b445e49af4ac10343500246a0bf539d44233ba65c
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore
binary
MD5: 373411cebf6e3bcb89d8bfa632409bf1
SHA256: c1d5b95b18ff02514bda0ec7865d9468c3a89e5c3ba2ebd3d4284fd8fcd463d4
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore
binary
MD5: 3b11b562807fef504fe671ded4d0e8ce
SHA256: 9bf05adc119cdd219347572787a9b7e18308c4465a8f440c34c697b2f5cd479f
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
text
MD5: 67c6fc5d2d77f60ebb386368a6e759c3
SHA256: e22a6515e1af1996b45b3e04d44f3e6ec2d46bc0768408914e0287a9f4ab58ea
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore
binary
MD5: 58fbc7f7687cc8798aea35b7066eb198
SHA256: 3a2035ad8446c71242daa9eaf3818b87f673d0429e4f5334621905b47a1c3df5
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset
binary
MD5: fa7667eeed0b53973506278ece958e62
SHA256: 0d55a21e6694fce19f366f9e5351a02d215d378541dbc38df68645b63b56d8bf
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
text
MD5: 67c6fc5d2d77f60ebb386368a6e759c3
SHA256: e22a6515e1af1996b45b3e04d44f3e6ec2d46bc0768408914e0287a9f4ab58ea
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.tmp
jsonlz4
MD5: c44892d72dc15ec668c685ca26f94ce0
SHA256: 39bf4289b23c1c08b9477a0f99a7d3847eb3126764dedf48f1b4cfd773991463
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-cryptomining-track-digest256.sbstore
binary
MD5: d6c5c2e242df3ec5ff8e17dd8ee15f73
SHA256: f0c6512e42f2732b3aa401f9ab4df84c0a89c9755968b158796706a48b9f492a
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\protections.sqlite-journal
binary
MD5: 817243c86af9543e153f4d5c74f1f36f
SHA256: 66ebac7cb49a26442638fcf5c003f1d5506e82bc92ab2c4cf8c1c58c400980c4
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm
binary
MD5: 2c554e0bfe17bfa13bf9062bbc8f5610
SHA256: 50b68694808a7b8e8148dcdae58e4467c0959bfb9f2f4812bc3a89dd71514140
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset
binary
MD5: 3303aa4bcb02d27f1a8b6aff30c1dd9c
SHA256: 6f33ccfcf9767b612657242c2819c325cfdf17b8d92224db588a886f7ec2d26e
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashsubdoc-digest256.vlpset
binary
MD5: 0c0d67875bd75a0227c02dd8529ba01a
SHA256: 614be0169ec36e67223eb9645a98da66dbfde5dfbb89bb064f428aaeabdd9d97
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore
binary
MD5: daa7abdb5ed1dbf8877f4028092e32f6
SHA256: b8f20b14ad5291b4528df859129b301f367a9885f417f9807821d5a386352530
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-cryptomining-track-digest256.vlpset
binary
MD5: 7d532b89a987d92def1d7aabbaad62ab
SHA256: 7cb574be3e783d6876740dbca525d868677307a52dddd67ac84665ccfaae895e
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google-trackwhite-digest256.vlpset
binary
MD5: e54e5b84194eee15e64d2a03f1136bb7
SHA256: 07707b589be3dba3bb0bdac67760a2b180ea3531e9d7976b73e4c1d8df9dbb1e
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.vlpset
binary
MD5: 40165280ff1345b5241ec2a9d1da2af0
SHA256: f80bdd5341d8b1ee946e344e258ef2d35c3c0bb6b13eb7b3e6a77467dfa8b97f
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore
binary
MD5: 9f6b331aa1e070dcfeed473e76ce56c3
SHA256: 7dbbea2dd387eeb85e1f56e02fc9989acde570cd43bfef2c2a827093ba87da6d
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.vlpset
binary
MD5: c2994d388f8780c87d35c352d9582985
SHA256: 7ed09f7d2bd632f70077a4ae4f2bd2f3fb654b03cd72652f51678b0c7d027f25
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.vlpset
binary
MD5: 130b9ac2beec5ada274561105d81ae36
SHA256: 7d99fec08182a5b95d18d1569edaa2c60c2aafbd15a56d8882f22f3b395e6460
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstore
binary
MD5: d5d6b4d59b4ae4e2de4b40d0da083571
SHA256: 000e3a78c72a210ca3b5417a3cdd294fbce2a31661601c9d594c75cf2800571c
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google-trackwhite-digest256.sbstore
binary
MD5: fec9bc354a7ee92c6feefe63e6b0fa26
SHA256: 258ef8e6994a09ffb54bd0d5afec97c13c31f2eefb7fe90a2a4c487c87817519
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstore
binary
MD5: b9556d03aff392142ad5691d2f867310
SHA256: cfd3909b41c1ee3cbcb8b7d2b1378065e7d3b543fff1f2fb7a4f25c5ff41722c
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstore
binary
MD5: dd0458514c9a922b45da6a8bebe47320
SHA256: d27d5b27030f4725249377951beb89e84a90a0e8241f0d5fd80ea59c1606e761
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.vlpset
binary
MD5: de0d88480c24350c59e1e9a3583de0d1
SHA256: 01ba9f0b913e04ed10bd7166796483dd4f72005f249d6ee68b12117be4b5d3c7
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore
binary
MD5: 92a93e4c81027f5788873296c6e2875b
SHA256: 4358b8f0af157cf2ef36a3a8bd152a528d32cfe98a2e0ae66207dbdb1d943efa
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-track-digest256.sbstore
binary
MD5: 59d2d3a9ff42621ae974078bcaabd9bc
SHA256: 7371e8534c31c4bff73e340413d77c988593a0e559418b0f2a5b34b9c82dddd2
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashallow-digest256.sbstore
binary
MD5: dd0458514c9a922b45da6a8bebe47320
SHA256: d27d5b27030f4725249377951beb89e84a90a0e8241f0d5fd80ea59c1606e761
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset
binary
MD5: c8663695a49bb5fb5a301d1a7233db6c
SHA256: 498d10d381ed91be12cff65292813bcccd676176bcf614534ab7ba0e5536306e
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashsubdoc-digest256.sbstore
binary
MD5: 22698b4cf784dbbae2d583f00491d43d
SHA256: 3849563088ae0677d61702a1310fde26de5ddd846d53037222d3efe012197bf5
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashallow-digest256.vlpset
binary
MD5: 7194b6bff691a056852a51e2e06ce8fe
SHA256: cbe2dc6abfe25bead60f4dfaf419fc0f441ff8a8dd4a2febf5553be1cbd90c49
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto.vlpset
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\ads-track-digest256.vlpset
binary
MD5: 38f55098ab1772e8a7b90a05cb33cfae
SHA256: fd44a8121e20cf102d8fd79d6ee45d55ccb0d92893907091bb7587ed3b274244
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\social-track-digest256.vlpset
binary
MD5: e1edde17e24b61c5b26d7b76ba039463
SHA256: c2c4612b7b9545751f37b302ee345abd0f22170c7cc2497320897b385d508b7f
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozplugin-block-digest256.sbstore
binary
MD5: 519beb1b01fc355bb388f1f75be997fd
SHA256: ffe2d3077b81ae6f51b220c1c661b276c823fa67dad1d64fc5f17249fc54bdc0
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\content-track-digest256.vlpset
binary
MD5: 897401403f6a9bbc2727bf8acfa8bbaf
SHA256: 75157865105c44c1220c337aeff723e7b2e4aef506ce7db00e2621d5ceaf45b8
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\analytics-track-digest256.sbstore
binary
MD5: ae706abfaecfd90d67e5c965091e004e
SHA256: 13cbf8a5389a33a562e6dd10660f68e8964313536a109aa80acfd8838bf45e73
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto.metadata
binary
MD5: 34a6b603f674bf4dddf7555094bf444e
SHA256: 30a17f5efa4efdae712c045d8be6249d637afd53444a7a3d8beff366b64815de
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\analytics-track-digest256.vlpset
binary
MD5: 1e1c0442f3fe16b185d5db74f0e91fce
SHA256: 43acc2d047c7988e9073ecf32ac619de0d080c45b061d441d1d671d305bb4f08
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\content-track-digest256.sbstore
binary
MD5: 2be5027a476efb5fe011ae8257e6b428
SHA256: 26d0ef7103dbc0516add2da8029ca43567b98bda1ef8d8e4cda42f09aa9a4b36
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto.metadata
binary
MD5: a012e4e6647b50b3bb6f0df6476e36fa
SHA256: da06869d64be977d6ebb196bcf43bacc01e7e895c6886fb0b77d11e3bd53f666
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
binary
MD5: 83f0223b14d01d3cf154c429d538e1d2
SHA256: a90bd15553bd81f9f8a0074bec3cf1d601abc5db210153b68b1be5088e6bc2ad
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\ads-track-digest256.sbstore
binary
MD5: a03e51212ad01cfe7eb3a87c8ce51744
SHA256: 2328a7569ab3d1e0c8638282e09860c82db28edd1c1be75caad91fc7015e966c
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.metadata
binary
MD5: 0bc8573d39ec55bf08789c68ae88accc
SHA256: 1672cabe6c9cd690eb706ce482867b247763355efdb2dc9473c6e8e3cfa48d02
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset
binary
MD5: b77ba6ff031432682c04744977c82188
SHA256: 75ba7ad2967d59d6cb17c1c434bf019e664686b14e08afb0d28d68d183423dba
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto.metadata
binary
MD5: 97705b8da72a10fabbb4f389ba81ccad
SHA256: 4fa67b0abbf1dc96561ac1c3e69f3ce1b817a8fdffc94ac32262e8d5a7602565
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\mozplugin-block-digest256.vlpset
binary
MD5: fcc9c2c9b611a3264b68ebe180eb4248
SHA256: 6ecd378a537eefe350b45cfa353741383f407d99d776bf23155a7825dc5dd2bc
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset
binary
MD5: b77ba6ff031432682c04744977c82188
SHA256: 75ba7ad2967d59d6cb17c1c434bf019e664686b14e08afb0d28d68d183423dba
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-phish-proto-1.vlpset
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache.bin
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-new.bin
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata
binary
MD5: d97b8bda72ea926869fe6f6dc9ec692e
SHA256: 6f22c20964d5a6c282f52bcadd27a1f880de8132c81a9de079405958d0f0fbfb
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset
binary
MD5: 667c29ee5d360a46dcb89b13c9fb1802
SHA256: aef6e561b71f3511baa5133dac8df5a1f0ee821868f9b71c70d6c42d1371e15a
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset
binary
MD5: b0272f5cf9f56f11c856155dc5f40be1
SHA256: 74ab81a1929a8806d559a13140947f076caba52bf882364c416ef4d8e9b155f4
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child.bin
binary
MD5: dbc41f4815336a40b389bc5e8b4c2d97
SHA256: 698543a0e4ee3200ee1893eca36ef79a4f11edc435be0a2cda02f19b9b7cda22
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto-1.vlpset
binary
MD5: b0272f5cf9f56f11c856155dc5f40be1
SHA256: 74ab81a1929a8806d559a13140947f076caba52bf882364c416ef4d8e9b155f4
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-new.bin
binary
MD5: dbc41f4815336a40b389bc5e8b4c2d97
SHA256: 698543a0e4ee3200ee1893eca36ef79a4f11edc435be0a2cda02f19b9b7cda22
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto-1.vlpset
binary
MD5: f39cbb6f2eda75910a1e9fb89baecc22
SHA256: b8fa8e362434ec772f804afeb021fdf35546e8f06f397766e03b66e59c1a1363
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-malware-proto.vlpset
binary
MD5: f39cbb6f2eda75910a1e9fb89baecc22
SHA256: b8fa8e362434ec772f804afeb021fdf35546e8f06f397766e03b66e59c1a1363
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache.bin
binary
MD5: 1c8bc963d34b4d0acafbce936978861c
SHA256: 16e1e22f4d182985f724bf7579969a7f8de4a7a3c721551b249c9bf093f1ac69
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-unwanted-proto.vlpset
binary
MD5: 667c29ee5d360a46dcb89b13c9fb1802
SHA256: aef6e561b71f3511baa5133dac8df5a1f0ee821868f9b71c70d6c42d1371e15a
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-new.bin
binary
MD5: 1c8bc963d34b4d0acafbce936978861c
SHA256: 16e1e22f4d182985f724bf7579969a7f8de4a7a3c721551b249c9bf093f1ac69
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\broadcast-listeners.json
binary
MD5: 9496f48bef11babdd49ccf2a72ac3b16
SHA256: df14636b6aae0ca3af230cb811871616b34270443cd3676969457e4ed57804b8
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\Trojan.Bladabindi.zip
compressed
MD5: 434254111fbe2b2a287aed9211375384
SHA256: 8057f113df215814bffa638f50c5b4a45668a8c5399eaa584882b3afdab7d706
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\broadcast-listeners.json.tmp
binary
MD5: 9496f48bef11babdd49ccf2a72ac3b16
SHA256: df14636b6aae0ca3af230cb811871616b34270443cd3676969457e4ed57804b8
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_Tm5vQQjJxAQaBt2
mpg
MD5: 1cd774218ae9955faac7989d67aa7bd0
SHA256: 8b4ec9405f3bd015b052c38e04df34558173b33cfd619f0d941c853e1b4e694e
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\recovery.jsonlz4
jsonlz4
MD5: 298249d63a24abe0ebbec40f75f10b5b
SHA256: afbb8e71bb9d5f36dbf5ad714de6cf407076d92ec0b8de31f75859c2a9a8b91a
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_GKrle9WI4yPPZ4n
binary
MD5: 83ed280d25dd1408145ea7f7a6a82082
SHA256: af6c596274cac043b0d07fd14c6417848b731221f288b3483853e3c7d9127170
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\recovery.jsonlz4.tmp
jsonlz4
MD5: 298249d63a24abe0ebbec40f75f10b5b
SHA256: afbb8e71bb9d5f36dbf5ad714de6cf407076d92ec0b8de31f75859c2a9a8b91a
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\KzXItDna.zip.part
compressed
MD5: 434254111fbe2b2a287aed9211375384
SHA256: 8057f113df215814bffa638f50c5b4a45668a8c5399eaa584882b3afdab7d706
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_ftzda3gUMEsHwuH
binary
MD5: 27416586f15a64651c2c3b159b8ffe29
SHA256: 028bf0ca32ca84d0919918ea5791647c21bed7456a233c58d923adf4abffd074
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_KkLdT0DkNfbnulk
binary
MD5: f93f899aad89130e3e5e572dcb8d61eb
SHA256: 7a93b9945e985b4b11e050e2525f841086c6da6198f2f7aa92027e3f6417705e
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_4KVFDvi1joxQV4y
binary
MD5: ddf9344d9543b28e8479a4acb9c12c2f
SHA256: d8a754f9030bfeccc0c3865325ddc93dee59e326b902a8d6f9963fbcd1f5dd7f
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4
jsonlz4
MD5: 01dae35763819ee4c2bd72553b33c337
SHA256: 674e499ccf7e955deffeb21b94c092de0a8ea1dd308c426dcf04bc84dbdfa377
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.tmp
jsonlz4
MD5: 01dae35763819ee4c2bd72553b33c337
SHA256: 674e499ccf7e955deffeb21b94c092de0a8ea1dd308c426dcf04bc84dbdfa377
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl
text
MD5: 3625f1dda6d119478ad89d13950c9aca
SHA256: cb40f6a8d58901d612a86690a41d4e273f24936fc926e98f82c0918cbef4fc64
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\1
binary
MD5: b4ddf33e1dc200be3ffe7ba3a6fd9f3c
SHA256: d148685ce5590081b04dc0014a8f5b074ae16e65c5728afcfde5757896a37550
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_bMfgBJE0v1eX6Ix
binary
MD5: 6576ae8b623130c767712bbd5303a45c
SHA256: fb9350b50214c1b258c2f5eb2621310bf0414ed3c04a41da060dce6f8afd9514
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl.tmp
text
MD5: 3625f1dda6d119478ad89d13950c9aca
SHA256: cb40f6a8d58901d612a86690a41d4e273f24936fc926e98f82c0918cbef4fc64
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_4be8djowaHvL3xa
binary
MD5: 8bd2ed8d172c42a1bb9545ae74559877
SHA256: 53b0c452266abecb7f743975ce0a08b96d77cd51f1a48ce1d8f92a8f7a5cee91
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4
jsonlz4
MD5: b17f8d93b0c43d6b72dc03752c20a2d9
SHA256: ada0f70d374223fb63c2f19471fab45d986a681e2485692e63f00f5071f19d76
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
jsonlz4
MD5: b17f8d93b0c43d6b72dc03752c20a2d9
SHA256: ada0f70d374223fb63c2f19471fab45d986a681e2485692e63f00f5071f19d76
2080
firefox.exe
C:\Users\admin\AppData\Local\Temp\mz_etilqs_K7sxlSJ1PcK9EVQ
binary
MD5: 351821e41ec0086e5ee4b40b74b78c7c
SHA256: 7d0661d8684356385c846b65461f3e45c1f187264bc7c9af978218fca02fc8b8
2080
firefox.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
binary
MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
––
MD5:  ––
SHA256:  ––
2080
firefox.exe
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin
binary
MD5: 994a33896bb41a278a315d0d796422b6
SHA256: 54ec50a20fff8cc016710e49437cf6a11d3fe5ee7b28c185e4a9aafee2908b63

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
65
Threats
3

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2080 firefox.exe GET 200 34.107.221.82:80 http://detectportal.firefox.com/success.txt US
text
shared
2080 firefox.exe GET 200 34.107.221.82:80 http://detectportal.firefox.com/success.txt?ipv4 US
text
shared
2080 firefox.exe POST 200 142.250.185.99:80 http://ocsp.pki.goog/gts1c3 US
binary
der
shared
2080 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
2080 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
2080 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared
2080 firefox.exe POST 200 142.250.185.99:80 http://ocsp.pki.goog/gts1c3 US
binary
der
shared
2080 firefox.exe POST 200 93.184.220.29:80 http://ocsp.digicert.com/ US
binary
der
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2080 firefox.exe 34.107.221.82:80 US whitelisted
2080 firefox.exe 52.26.7.9:443 Amazon.com, Inc. US unknown
2080 firefox.exe 143.204.98.33:443 US suspicious
2080 firefox.exe 142.250.186.138:443 Google Inc. US whitelisted
2080 firefox.exe 44.238.202.79:443 University of California, San Diego US unknown
2080 firefox.exe 142.250.185.99:80 Google Inc. US whitelisted
2080 firefox.exe 143.204.98.120:443 US suspicious
2080 firefox.exe 140.82.121.3:443 US suspicious
2080 firefox.exe 185.199.109.133:443 GitHub, Inc. NL malicious
2080 firefox.exe 143.204.98.108:443 US whitelisted
2080 firefox.exe 143.204.98.70:443 US suspicious
2080 firefox.exe 142.250.185.206:443 Google Inc. US whitelisted
2080 firefox.exe 54.190.2.244:443 Amazon.com, Inc. US unknown
2080 firefox.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2080 firefox.exe 143.204.98.115:443 US suspicious
2080 firefox.exe 143.204.98.4:443 US unknown

DNS requests

Domain IP Reputation
detectportal.firefox.com 34.107.221.82
shared
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82
2600:1901:0:38d7::
shared
ipv4only.arpa 192.0.0.171
192.0.0.170
whitelisted
github.com 140.82.121.3
shared
firefox.settings.services.mozilla.com 143.204.98.23
143.204.98.33
143.204.98.76
143.204.98.29
shared
location.services.mozilla.com 216.58.212.174
142.250.74.206
142.250.186.46
142.250.186.78
142.250.186.110
142.250.186.142
142.250.186.174
142.250.184.206
142.250.184.238
216.58.212.142
142.250.185.78
142.250.185.110
142.250.185.142
142.250.185.174
142.250.185.206
142.250.185.238
shared
example.org 93.184.216.34
shared
cs9.wac.phicdn.net 93.184.220.29
shared
locprod2-elb-us-west-2.prod.mozaws.net 35.163.137.0
52.26.7.9
35.163.35.154
52.42.77.140
52.11.104.45
52.89.115.53
shared
ocsp.digicert.com 93.184.220.29
shared
content-signature-2.cdn.mozilla.net 143.204.98.120
143.204.98.118
143.204.98.36
143.204.98.30
shared
d2nxq2uap88usk.cloudfront.net 2600:9000:2156:9a00:a:da5e:7900:93a1
2600:9000:2156:1200:a:da5e:7900:93a1
2600:9000:2156:d400:a:da5e:7900:93a1
2600:9000:2156:c00:a:da5e:7900:93a1
2600:9000:2156:7200:a:da5e:7900:93a1
2600:9000:2156:7000:a:da5e:7900:93a1
2600:9000:2156:8000:a:da5e:7900:93a1
2600:9000:2156:4c00:a:da5e:7900:93a1
143.204.98.30
143.204.98.120
143.204.98.118
143.204.98.36
shared
safebrowsing.googleapis.com 142.250.186.138
2a00:1450:4001:82a::200a
shared
autopush.prod.mozaws.net 44.238.202.79
whitelisted
push.services.mozilla.com 44.238.202.79
shared
ocsp.pki.goog 142.250.185.99
shared
pki-goog.l.google.com 2a00:1450:4001:80f::2003
142.250.185.99
whitelisted
firefox-settings-attachments.cdn.mozilla.net 143.204.98.108
143.204.98.64
143.204.98.4
143.204.98.122
shared
fennec-catalog-cdn.prod.mozaws.net 143.204.98.122
143.204.98.108
143.204.98.64
143.204.98.4
shared
snippets.cdn.mozilla.net 143.204.98.70
143.204.98.72
143.204.98.12
143.204.98.74
shared
d228z91au11ukj.cloudfront.net 143.204.98.74
143.204.98.70
143.204.98.72
143.204.98.12
whitelisted
raw.githubusercontent.com 185.199.109.133
185.199.110.133
185.199.108.133
185.199.111.133
shared
www.facebook.com 185.60.216.35
shared
www.youtube.com No response shared
www.ebay.de 2.18.234.244
shared
www.wikipedia.org 91.198.174.192
shared
star-mini.c10r.facebook.com 185.60.216.35
2a03:2880:f12d:83:face:b00c:0:25de
whitelisted
dyna.wikimedia.org 91.198.174.192
2620:0:862:ed1a::1
shared
www.reddit.com 151.101.1.140
151.101.65.140
151.101.129.140
151.101.193.140
whitelisted
reddit.map.fastly.net 151.101.193.140
151.101.129.140
151.101.65.140
151.101.1.140
whitelisted
e11847.a.akamaiedge.net 2.18.234.244
whitelisted
youtube-ui.l.google.com 2a00:1450:4001:802::200e
2a00:1450:4001:803::200e
2a00:1450:4001:827::200e
2a00:1450:4001:828::200e
142.250.185.238
142.250.185.206
142.250.185.174
142.250.185.142
142.250.185.110
142.250.185.78
216.58.212.142
142.250.184.238
142.250.184.206
142.250.186.174
142.250.186.142
142.250.186.110
142.250.186.78
142.250.186.46
142.250.74.206
216.58.212.174
whitelisted
sb-ssl.google.com 142.250.185.206
whitelisted
sb-ssl.l.google.com 2a00:1450:4001:812::200e
142.250.185.206
whitelisted
shavar.services.mozilla.com 54.190.2.244
34.216.66.163
34.217.152.155
52.89.81.52
34.213.195.39
34.211.175.209
shared
shavar.prod.mozaws.net 34.211.175.209
54.190.2.244
34.216.66.163
34.217.152.155
52.89.81.52
34.213.195.39
shared
tracking-protection.cdn.mozilla.net 143.204.98.115
143.204.98.23
143.204.98.4
143.204.98.40
shared
d1zkz3k4cclnv6.cloudfront.net 143.204.98.40
143.204.98.115
143.204.98.23
143.204.98.4
shared
soa7.zapto.org No response malicious

Threats

PID Process Class Message
2080 firefox.exe Potentially Bad Traffic ET INFO Terse Request for .txt - Likely Hostile
2080 firefox.exe Potentially Bad Traffic ET INFO Terse Request for .txt - Likely Hostile
–– –– Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.zapto .org

Debug output strings

No debug info.