URL:

https://www.mediafire.com/download/p0nvqc3ptfvq16u/Trillium_Security_MultiSploit_Tool_v6.5.21_Full.rar

Full analysis: https://app.any.run/tasks/232dde81-d805-4f98-938d-8f06c8b26f0c
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 27, 2025, 13:36:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
miner
blind-copy
xmrig
winring0x64-sys
vuln-driver
attachments
attc-unc
susp-attachments
arch-doc
blankgrabber
stealer
telegram
evasion
Indicators:
MD5:

80BF55C4D83EB3D4CA88244671E1F33D

SHA1:

CD5A4BE61AEF2713B331850C3319CA235140930F

SHA256:

4C6BD12D36630DC7CD60E74B48A49BF9F558CEA7A490E53D3E0A75E1CF4A762E

SSDEEP:

3:N8DSLw3eGWKLnSlY72A8RoQfTpkoNLX+n:2OLw3eGND2rTpkUan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XMRig has been detected

      • OmegaEngine.exe (PID: 6768)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • OmegaEngine.exe (PID: 6768)

    • Vulnerable driver has been detected

      • InstallUtil.exe (PID: 968)

    • Connects to the CnC server

      • OmegaEngine.exe (PID: 6768)

    • XMRIG has been detected (YARA)

      • InstallUtil.exe (PID: 968)
      • OmegaEngine.exe (PID: 6768)

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 4996)
      • Built.exe (PID: 7576)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 8632)

    • Adds path to the Windows Defender exclusion list

      • Built.exe (PID: 7576)
      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 7868)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 2420)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 8632)

    • Changes Windows Defender settings

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 7868)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 8632)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 8632)

    • Changes settings for real-time protection

      • powershell.exe (PID: 8632)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 8632)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 8632)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 8564)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3332)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 5156)

    • BLANKGRABBER has been detected (SURICATA)

      • Built.exe (PID: 7576)

  • SUSPICIOUS

    • Process drops python dynamic module

      • WinRAR.exe (PID: 6044)
      • Built.exe (PID: 4996)
      • conhost.exe (PID: 2100)

    • Process drops legitimate windows executable

      • InstallUtil.exe (PID: 968)
      • crack.exe (PID: 456)
      • Built.exe (PID: 4996)
      • conhost.exe (PID: 2100)
      • Built.exe (PID: 7576)
      • WinRAR.exe (PID: 6044)

    • Executable content was dropped or overwritten

      • InstallUtil.exe (PID: 968)
      • conhost.exe (PID: 900)
      • crack.exe (PID: 456)
      • Built.exe (PID: 4996)
      • conhost.exe (PID: 2100)
      • Built.exe (PID: 7576)
      • csc.exe (PID: 8820)

    • Drops a system driver (possible attempt to evade defenses)

      • InstallUtil.exe (PID: 968)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Potential Corporate Privacy Violation

      • OmegaEngine.exe (PID: 6768)

    • The process drops C-runtime libraries

      • conhost.exe (PID: 2100)
      • Built.exe (PID: 4996)

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 4996)
      • Built.exe (PID: 7576)

    • Executes application which crashes

      • svchost.exe (PID: 3888)

    • Starts CMD.EXE for commands execution

      • Built.exe (PID: 7576)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 7576)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 2420)

    • Application launched itself

      • Built.exe (PID: 4996)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 2420)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 8488)
      • cmd.exe (PID: 8564)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 8708)
      • cmd.exe (PID: 4976)
      • cmd.exe (PID: 5360)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7464)
      • cmd.exe (PID: 7868)

    • Get information on the list of running processes

      • cmd.exe (PID: 8032)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 8440)
      • Built.exe (PID: 7576)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8476)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 8552)
      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 8196)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 8360)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 8564)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 8064)
      • cmd.exe (PID: 7448)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 8564)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 8564)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8432)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8820)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 4324)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 2476)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 9020)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 1164)

    • Checks for external IP

      • Built.exe (PID: 7576)
      • svchost.exe (PID: 2196)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Built.exe (PID: 7576)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 1616)
      • firefox.exe (PID: 5512)

    • Manual execution by a user

      • WinRAR.exe (PID: 6044)
      • InstallUtil.exe (PID: 968)
      • conhost.exe (PID: 900)
      • crack.exe (PID: 456)
      • crack.exe (PID: 8756)
      • crack.exe (PID: 5592)

    • Reads the software policy settings

      • slui.exe (PID: 1676)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6044)

    • The sample compiled with japanese language support

      • InstallUtil.exe (PID: 968)

    • The sample compiled with german language support

      • WinRAR.exe (PID: 6044)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6044)
      • InstallUtil.exe (PID: 968)
      • conhost.exe (PID: 2100)
      • Built.exe (PID: 4996)

    • Checks the directory tree

      • tree.com (PID: 7188)
      • tree.com (PID: 5176)
      • tree.com (PID: 8304)
      • tree.com (PID: 540)
      • tree.com (PID: 8300)
      • tree.com (PID: 2568)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7212)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
261
Monitored processes
123
Malicious processes
10
Suspicious processes
4

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #MINER svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs slui.exe winrar.exe conhost.exe #XMRIG installutil.exe #MINER omegaengine.exe conhost.exe no specs crack.exe no specs crack.exe no specs crack.exe built.exe conhost.exe svchost.exe werfault.exe no specs #BLANKGRABBER built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs tree.com no specs powershell.exe no specs systeminfo.exe no specs powershell.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs csc.exe conhost.exe no specs tree.com no specs tiworker.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456"C:\Users\admin\Desktop\Trillium_Security_MultiSploit_Tool_v6.5.21_Full\Trillium Security MultiSploit Tool v6.5.21 Full\crack.exe" C:\Users\admin\Desktop\Trillium_Security_MultiSploit_Tool_v6.5.21_Full\Trillium Security MultiSploit Tool v6.5.21 Full\crack.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\trillium_security_multisploit_tool_v6.5.21_full\trillium security multisploit tool v6.5.21 full\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
540tree /A /FC:\Windows\System32\tree.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Tree Walk Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tree.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
900"C:\Users\admin\Desktop\Trillium_Security_MultiSploit_Tool_v6.5.21_Full\Trillium Security MultiSploit Tool v6.5.21 Full\conhost.exe" C:\Users\admin\Desktop\Trillium_Security_MultiSploit_Tool_v6.5.21_Full\Trillium Security MultiSploit Tool v6.5.21 Full\conhost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
bilal
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\trillium_security_multisploit_tool_v6.5.21_full\trillium security multisploit tool v6.5.21 full\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
968"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
980C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\_MEI49962\rar.exe a -r -hp"@adrik123@" "C:\Users\admin\AppData\Local\Temp\I7dLK.zip" *"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1180C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1184"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1824 -parentBuildID 20240213221259 -prefsHandle 1760 -prefMapHandle 1744 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7463322c-5b24-4ea7-a003-cf95c95a9617} 1616 "\\.\pipe\gecko-crash-server-pipe.1616" 21b967ee710 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
Total events
84 625
Read events
84 579
Write events
30
Delete events
16

Modification events

(PID) Process:(1616) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:9
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:8
Value:
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:7
Value:
Executable files
128
Suspicious files
848
Text files
3 255
Unknown types
2

Dropped files

PID
Process
Filename
Type
1616firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db-journalbinary
MD5:662F6843A66584C37E2C5A6F05BC1A89
SHA256:18CA9668094E81D2854F73E1969D637C2FA564B32AD7F27B4CE4B1F4D32CDC2E
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:03E53BD16C83C949D08E33ED3F565D74
SHA256:E7D7F709CB1F8930370C8D7F6528AEC00BC91757D3B4CC02D4E40F0747F9CF58
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpbinary
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1616firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
75
TCP/UDP connections
312
DNS requests
330
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1616
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
1616
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1616
firefox.exe
POST
200
184.24.77.57:80
http://r11.o.lencr.org/
unknown
whitelisted
1616
firefox.exe
POST
200
142.250.185.67:80
http://o.pki.goog/we2
unknown
whitelisted
1616
firefox.exe
POST
200
184.24.77.57:80
http://r11.o.lencr.org/
unknown
whitelisted
1616
firefox.exe
POST
200
2.16.168.117:80
http://r10.o.lencr.org/
unknown
whitelisted
1616
firefox.exe
POST
200
142.250.185.67:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
1616
firefox.exe
POST
142.250.185.67:80
http://o.pki.goog/s/we1/sY8
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1616
firefox.exe
104.17.151.117:443
www.mediafire.com
CLOUDFLARENET
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1616
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
whitelisted
1616
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.78
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
www.mediafire.com
  • 104.17.151.117
  • 104.17.150.117
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
example.org
  • 23.215.0.133
  • 96.7.128.186
  • 96.7.128.192
  • 23.215.0.132
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/download/p0nvqc3ptfvq16u/Trillium_Security_MultiSploit_Tool_v6.5.21_Full.rar