URL:

https://filebin.net/xczl8swcmjbmvciu

Full analysis: https://app.any.run/tasks/71da6db2-1493-4208-a36f-501b21e8cc25
Verdict: Malicious activity
Threats:

DonutLoader is a versatile, open-source-based in-memory loader that turns .NET assemblies, executables, DLLs, and scripts into position-independent shellcode for execution entirely in RAM. Originally derived from the popular Donut tool, it enables threat actors to bypass traditional antivirus and EDR solutions by avoiding disk writes and injecting payloads directly into legitimate Windows processes.

Malware Trends Tracker     >>>
Analysis date: January 06, 2026, 12:28:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
systeminformer
tool
donutloader
loader
qrcode
Indicators:
MD5:

BA172D492F48F2322718E1BAEFD9E07E

SHA1:

85B5C819A6032331D0E371B388DC163B689F43C2

SHA256:

64D9FC14BFF9055B0EC1BE61588A90CFEF2C8BFBE56D5143BE8567C5B3431FE1

SSDEEP:

3:N8wLAfZGMR:2PfZz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DONUTLOADER has been detected (YARA)

      • SymbolGT.exe (PID: 4340)

    • Reads a specific registry key of the VM

      • SymbolGT.exe (PID: 4340)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • Scylla_x86.exe (PID: 816)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8888)

    • Application launched itself

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)

    • Process drops legitimate windows executable

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)

    • Executable content was dropped or overwritten

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • Scylla_x86.exe (PID: 816)

    • The process creates files with name similar to system file names

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)

    • Drops a system driver (possible attempt to evade defenses)

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)

    • There is functionality for taking screenshot (YARA)

      • SymbolGT.exe (PID: 4340)
      • Scylla_x86.exe (PID: 816)

    • Reads the BIOS version

      • SymbolGT.exe (PID: 4340)

    • Detects driver loading without leaving file traces on disk (YARA)

      • SystemInformer.exe (PID: 8432)

    • Reads the date of Windows installation

      • SystemInformer.exe (PID: 8432)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 7556)
      • firefox.exe (PID: 7652)

    • Manual execution by a user

      • WinRAR.exe (PID: 8920)
      • Disastra.exe (PID: 9016)
      • Disastra.exe (PID: 9072)
      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • SymbolGT.exe (PID: 4340)
      • Scylla_x86.exe (PID: 816)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8920)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)

    • Checks supported languages

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • SystemInformer.exe (PID: 8432)
      • SymbolGT.exe (PID: 4340)
      • Scylla_x86.exe (PID: 816)
      • TextInputHost.exe (PID: 7336)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8888)
      • SystemInformer.exe (PID: 7956)

    • Reads the computer name

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • SystemInformer.exe (PID: 8432)
      • SymbolGT.exe (PID: 4340)
      • Scylla_x86.exe (PID: 816)
      • TextInputHost.exe (PID: 7336)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 8888)

    • SYSTEMINFORMER mutex has been found

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • SystemInformer.exe (PID: 8432)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8888)
      • SystemInformer.exe (PID: 7956)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8920)

    • Process checks computer location settings

      • systeminformer-3.2.25011-release-setup.exe (PID: 9116)
      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • SystemInformer.exe (PID: 8432)

    • Creates files in the program directory

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)
      • SystemInformer.exe (PID: 8432)

    • Creates a software uninstall entry

      • systeminformer-3.2.25011-release-setup.exe (PID: 6852)

    • Reads CPU info

      • SystemInformer.exe (PID: 8432)
      • SystemInformer.exe (PID: 7956)

    • Reads the time zone

      • SystemInformer.exe (PID: 8432)
      • SystemInformer.exe (PID: 7956)

    • Checks proxy server information

      • SystemInformer.exe (PID: 8432)
      • slui.exe (PID: 8732)
      • peview.exe (PID: 8244)

    • Creates files or folders in the user directory

      • SystemInformer.exe (PID: 8432)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 8888)

    • Reads the machine GUID from the registry

      • SystemInformer.exe (PID: 8432)
      • SymbolGT.exe (PID: 4340)
      • peview.exe (PID: 8244)
      • peview.exe (PID: 1412)
      • peview.exe (PID: 8888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
27
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe disastra.exe no specs disastra.exe systeminformer-3.2.25011-release-setup.exe no specs systeminformer-3.2.25011-release-setup.exe systeminformer.exe #DONUTLOADER symbolgt.exe no specs svchost.exe slui.exe scylla_x86.exe textinputhost.exe no specs peview.exe no specs peview.exe peview.exe no specs systeminformer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
816"C:\Users\admin\Downloads\disastra_64_v3\Scylla_x86.exe" C:\Users\admin\Downloads\disastra_64_v3\Scylla_x86.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\downloads\disastra_64_v3\scylla_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1088"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4668 -prefsLen 45116 -prefMapHandle 4664 -prefMapSize 273045 -ipcHandle 4672 -initialChannelId {95cdb371-1477-47bc-ae39-38fc44506cec} -parentPid 7652 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7652" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
1412"C:\Program Files\SystemInformer\peview.exe" "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\31532774e8bbbd9c59b5e6d7829d3242\mscorlib.ni.dll"C:\Program Files\SystemInformer\peview.exeSystemInformer.exe
User:
admin
Company:
Winsider Seminars & Solutions
Integrity Level:
HIGH
Description:
Portable Executable Viewer
Exit code:
0
Version:
3.2.25011.2103
Modules
Images
c:\program files\systeminformer\peview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2612"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3952 -prefsLen 45014 -prefMapHandle 3956 -prefMapSize 273045 -jsInitHandle 3960 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3968 -initialChannelId {4c13e4fe-770f-49a7-9b4e-b554374974b2} -parentPid 7652 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7652" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
4340"C:\Users\admin\Downloads\disastra_64_v3\SymbolGT.exe" C:\Users\admin\Downloads\disastra_64_v3\SymbolGT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\downloads\disastra_64_v3\symbolgt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6852"C:\Users\admin\Downloads\disastra_64_v3\systeminformer-3.2.25011-release-setup.exe" "C:\Users\admin\Downloads\disastra_64_v3\systeminformer-3.2.25011-release-setup.exe" C:\Users\admin\Downloads\disastra_64_v3\systeminformer-3.2.25011-release-setup.exe
systeminformer-3.2.25011-release-setup.exe
User:
admin
Company:
System Informer
Integrity Level:
HIGH
Description:
System Informer - Setup
Exit code:
0
Version:
3.2.25011.2103
Modules
Images
c:\users\admin\downloads\disastra_64_v3\systeminformer-3.2.25011-release-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
7180"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4860 -prefsLen 39120 -prefMapHandle 4864 -prefMapSize 273045 -jsInitHandle 4868 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4832 -initialChannelId {586eb9d9-2cf2-4aa8-9b4b-77113b7d7dbe} -parentPid 7652 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7652" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
7284"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4200 -prefsLen 39120 -prefMapHandle 4208 -prefMapSize 273045 -jsInitHandle 4384 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4836 -initialChannelId {1f92af58-adb9-4ea5-8eb3-a9b9f4b2ad8b} -parentPid 7652 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7652" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
7292"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5012 -prefsLen 45168 -prefMapHandle 5016 -prefMapSize 273045 -jsInitHandle 5020 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4892 -initialChannelId {e8fc99b9-2dd6-45d1-8dc8-a10c488728ba} -parentPid 7652 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7652" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
Total events
21 239
Read events
21 109
Write events
124
Delete events
6

Modification events

(PID) Process:(8920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8920) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:DisplayIcon
Value:
C:\Program Files\SystemInformer\systeminformer.exe,0
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:DisplayName
Value:
System Informer
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:DisplayVersion
Value:
3.2.25011.2103
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:HelpLink
Value:
https://system-informer.com/
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:InstallLocation
Value:
C:\Program Files\SystemInformer\
(PID) Process:(6852) systeminformer-3.2.25011-release-setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer
Operation:writeName:Publisher
Value:
Winsider Seminars & Solutions, Inc.
Executable files
42
Suspicious files
247
Text files
74
Unknown types
2

Dropped files

PID
Process
Filename
Type
7652firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmptext
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:192E0F4992C5799DE792ADF2A1CCEF5B
SHA256:B6747A64BCF303D8484C7245B5B1521C460D8AE07517CE30A6DDED2A369D9B89
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsontext
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7652firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.jsontext
MD5:52C5C7E03AB223709EF3364092C415E7
SHA256:7F51F124F3ABAA548555FC4EC33D690CDA28232F9A09D3F3E4C3AFD4072BB4AE
7652firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:FC9B1D12CDE60DF8FF438421195CDBE3
SHA256:441105AAC5B5B5C84BEC7D93C8640F65E6C0EDB760080372B39E9DC1A03F5264
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
117
TCP/UDP connections
73
DNS requests
86
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7652
firefox.exe
GET
101
34.107.243.93:443
https://push.services.mozilla.com/
unknown
unknown
7652
firefox.exe
GET
200
34.160.144.191:443
https://content-signature-2.cdn.mozilla.net/g/chains/202402/remote-settings.content-signature.mozilla.org-2025-11-08-08-20-52.chain
unknown
text
5.18 Kb
unknown
7652
firefox.exe
GET
200
34.160.144.191:443
https://content-signature-2.cdn.mozilla.net/g/chains/202402/remote-settings.content-signature.mozilla.org-2025-11-08-08-20-52.chain
unknown
text
5.18 Kb
unknown
7652
firefox.exe
POST
200
142.250.184.227:80
http://o.pki.goog/s/wr3/peI
unknown
whitelisted
7652
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
unknown
7652
firefox.exe
GET
200
142.250.184.202:443
https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gaJwgFEAEaGwoNCAUQBhgBIgMwMDEwARC_qR0aAhgJ1PizdiICIAIoARonCAEQARobCg0IARAGGAEiAzAwMTABEL_QEhoCGAlhzooJIgIgAigBGicIAxABGhsKDQgDEAYYASIDMDAxMAEQ1MgSGgIYCW_RUOoiAiACKAEaJwgHEAEaGwoNCAcQBhgBIgMwMDEwARDa5xIaAhgJ4NXYEyICIAIoARolCAkQARoZCg0ICRAGGAEiAzAwMTABECMaAhgJi9M7nSICIAIoAQ==
unknown
binary
128 Kb
whitelisted
7652
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
unknown
7652
firefox.exe
POST
200
142.250.184.227:80
http://o.pki.goog/s/wr3/dcM
unknown
whitelisted
7652
firefox.exe
POST
200
142.250.184.227:80
http://o.pki.goog/s/wr3/dcM
unknown
whitelisted
5020
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
1136
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4472
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7652
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7652
firefox.exe
88.99.137.18:443
filebin.net
HETZNER-AS
DE
suspicious
7652
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7652
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7652
firefox.exe
151.101.193.91:443
firefox.settings.services.mozilla.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.142
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
filebin.net
  • 88.99.137.18
  • 2a01:4f8:10a:2156::2
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
mc.prod.ads.prod.webservices.mozgcp.net
  • 34.36.137.203
whitelisted
example.org
  • 104.18.3.24
  • 104.18.2.24
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Abused File Sharing Domain in DNS Lookup (filebin .net)
2292
svchost.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Abused File Sharing Domain in DNS Lookup (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
2292
svchost.exe
Misc activity
ET FILE_SHARING Observed DNS Query to Abused File Sharing Domain in DNS Lookup (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
7652
firefox.exe
Misc activity
ET INFO Observed Abused File Sharing Domain in TLS SNI (filebin .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://filebin.net/xczl8swcmjbmvciu