Malware analysis https://QO52MMO.filesusr.com/html/1d18f6_ce0791845a37d60cbdcb64934ad6b66d.html?test@test.es Malicious activity

Add for printing

URL:	https://QO52MMO.filesusr.com/html/1d18f6_ce0791845a37d60cbdcb64934ad6b66d.html?test@test.es
Full analysis:	https://app.any.run/tasks/4a91937f-234d-48ec-b94a-ee66ac6bcd13
Verdict:	Malicious activity
Analysis date:	April 06, 2026, 15:12:44
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MD5:	47D1E664A0CA437096A6E4015A77E226
SHA1:	E907A2707923B77CF890298AA1F4EE824B7AD26E
SHA256:	71FA7C830251727E8F2BAF03C6F45DEEF55984C816F729386C5366ECA5E8E248
SSDEEP:	3:N8aDoo2MOeGGD0PicRumByElHfB5DAaF:2AoHM8G8iVO/UaF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Accesses environment variables (SCRIPT)
  - wscript.exe (PID: 6792)
- Uses base64 encoding (SCRIPT)
  - wscript.exe (PID: 6792)
SUSPICIOUS
- Creates file in the systems drive root
  - explorer.exe (PID: 4696)
- Image mount has been detect
  - explorer.exe (PID: 4696)
- Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
  - wscript.exe (PID: 6792)
- Creates XML DOM element (SCRIPT)
  - wscript.exe (PID: 6792)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 6792)
- Sets XML DOM element text (SCRIPT)
  - wscript.exe (PID: 6792)
INFO
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 4696)
- Application launched itself
  - firefox.exe (PID: 7096)
  - firefox.exe (PID: 4316)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4696)
- Manual execution by a user
  - wscript.exe (PID: 6792)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

150

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2232

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2392

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2012 -prefsLen 36580 -prefMapHandle 2016 -prefMapSize 273045 -ipcHandle 2084 -initialChannelId {5b40ed95-f4ae-4d5b-83e8-81b13124f13d} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

2588

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3472 -prefsLen 31384 -prefMapHandle 3468 -prefMapSize 273045 -jsInitHandle 3464 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3456 -initialChannelId {25bbffae-2235-4f7f-8a8c-3de0be22f3d0} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll

3420

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5100 -prefsLen 45477 -prefMapHandle 5092 -prefMapSize 273045 -jsInitHandle 4748 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5124 -initialChannelId {01e81d3a-d024-46dc-9727-9ed913de5369} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll

4136

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 2244 -prefsLen 36580 -prefMapHandle 2248 -prefMapSize 273045 -ipcHandle 2224 -initialChannelId {7933f447-a8b0-402e-a363-97be041f1fcb} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll

4316

"C:\Program Files\Mozilla Firefox\firefox.exe" https://QO52MMO.filesusr.com/html/1d18f6_ce0791845a37d60cbdcb64934ad6b66d.html?test@test.es

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

4696

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\oleaut32.dll

6180

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4884 -prefsLen 45425 -prefMapHandle 4888 -prefMapSize 273045 -ipcHandle 4848 -initialChannelId {dd32489e-67e1-4fa9-97d8-7a13cab2d9f8} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll

6672

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3080 -prefsLen 37299 -prefMapHandle 3084 -prefMapSize 273045 -jsInitHandle 3088 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3096 -initialChannelId {ecb2b494-bc61-49a3-b14e-7aa08e5ab325} -parentPid 4316 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4316" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Version:

136.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

6792

"C:\WINDOWS\System32\WScript.exe" "D:\Manual-OperHLTBokgtOI4G76649_ZHFGV7625.vbs"

C:\Windows\System32\wscript.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

12 914

Read events

12 822

Write events

Delete events

Modification events


(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000024031A
Operation:	write	Name:	VirtualDesktop
Value: 100000003030445602603FA5B72DE44882A417B3949BF781
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated
Operation:	write	Name:	308046B0AF4A39CB
Value: 40
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	NodeSlots
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:	write	Name:	MRUListEx
Value: 04000000030000000000000012000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0
Operation:	write	Name:	MRUListEx
Value: 0400000005000000010000000600000008000000020000000C0000000B0000000A00000009000000070000000000000003000000FFFFFFFF
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\0\4\0
Operation:	write	Name:	MRUListEx
Value: 010000000000000002000000FFFFFFFF
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:	write	Name:	Locked
Value: 1
(PID) Process:	(8792) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:	write	Name:	MinimizedStateTabletModeOff
Value: 0
(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon
Operation:	write	Name:	QatItems
Value: 3C7369713A637573746F6D554920786D6C6E733A7369713D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F77696E646F77732F323030392F726962626F6E2F716174223E3C7369713A726962626F6E206D696E696D697A65643D2266616C7365223E3C7369713A71617420706F736974696F6E3D2230223E3C7369713A736861726564436F6E74726F6C733E3C7369713A636F6E74726F6C206964513D227369713A3136313238222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3136313239222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333532222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333834222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333336222076697369626C653D22747275652220617267756D656E743D223022202F3E3C7369713A636F6E74726F6C206964513D227369713A3132333537222076697369626C653D2266616C73652220617267756D656E743D223022202F3E3C2F7369713A736861726564436F6E74726F6C733E3C2F7369713A7161743E3C2F7369713A726962626F6E3E3C2F7369713A637573746F6D55493E

Add for printing

Executable files

Suspicious files

171

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4316	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\extensions\trash\addon@example.com.xpi		compressed
		MD5:8D9AFAC42BC67132A3FFB3520C6B57A7	SHA256:116FDE2E4201D9545542FA9DEBC8054B12BBE874240A48BB5AE848B1BCBC2BA0
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\bounce-tracking-protection.sqlite-journal		binary
		MD5:E8817B417BD18F7F0542BC2FFB2D4559	SHA256:DBDA46A10442917543FC45FB9C721E45EC65B8CD48F76C9F8472C96EB5703084
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-wal		binary
		MD5:17503319D638378F6BBB70872E358AA1	SHA256:0524F986D2FCEA122EBBBAA5BEF2D1CB22C022B9D7E158B44191F82A674445C9
4316	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.json.tmp		text
		MD5:0DCC9C211E3C2B307B9878A294258D3F	SHA256:960B20CE5C1639E4983D673A53398191189FCE34CAED18C4B5C16BB6E78A046B
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
4316	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.bin		binary
		MD5:73A2E89AF4D3D52D0167E7B3805E20E5	SHA256:AB2871B600E4E7A13DF4552B1172DA5EEA32C9BA8E3D2153F1987FE2B124CFC4
4696	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		text
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
4316	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		text
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

129

TCP/UDP connections

DNS requests

103

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4316	firefox.exe	GET	101	34.107.243.93:443	https://push.services.mozilla.com/	US	—	—	whitelisted
4316	firefox.exe	GET	302	188.114.97.3:443	https://dowloand.atlasjet.com.ng/es/?test@test.es	US	—	—	unknown
—	—	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	NL	binary	313 b	whitelisted
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
4316	firefox.exe	GET	200	151.101.1.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/monitor/collections/changes/changeset?collection=url-parser-default-unknown-schemes-interventions&bucket=main&_expected=0	US	text	274 b	whitelisted
4316	firefox.exe	GET	200	151.101.1.91:443	https://firefox.settings.services.mozilla.com/v1/	US	text	1.20 Kb	whitelisted
4316	firefox.exe	GET	200	151.101.1.91:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/url-parser-default-unknown-schemes-interventions/changeset?_expected=1743513175300&_since=%221726769128879%22	US	text	1.76 Kb	whitelisted
4316	firefox.exe	GET	200	108.138.7.107:443	https://qo52mmo.filesusr.com/html/1d18f6_ce0791845a37d60cbdcb64934ad6b66d.html?test@test.es	US	html	173 b	unknown
4316	firefox.exe	POST	200	151.101.129.91:443	https://spocs.getpocket.com/spocs	US	text	1.16 Kb	whitelisted
4316	firefox.exe	GET	200	151.101.129.91:443	https://contile.services.mozilla.com/v1/tiles	US	text	5.26 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
3352	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7824	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.204.149:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4316	firefox.exe	151.101.1.91:443	firefox.settings.services.mozilla.com	FASTLY	US	whitelisted
4316	firefox.exe	108.138.7.107:443	qo52mmo.filesusr.com	AMAZON-02	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	2.16.204.149 2.16.204.146 2.16.204.145 2.16.204.147 2.16.204.152 2.16.204.155 2.16.204.153 2.16.204.142 2.16.204.151	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
google.com	142.251.14.113 142.251.14.139 142.251.14.100 142.251.14.138 142.251.14.101 142.251.14.102	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
firefox.settings.services.mozilla.com	151.101.1.91 151.101.65.91 151.101.193.91 151.101.129.91	whitelisted
mozilla.map.fastly.net	151.101.1.91 151.101.65.91 151.101.193.91 151.101.129.91 2a04:4e42:400::347 2a04:4e42:600::347 2a04:4e42:200::347 2a04:4e42::347	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
qo52mmo.filesusr.com	108.138.7.107 108.138.7.101 108.138.7.47 108.138.7.13	unknown

Threats

PID	Process	Class	Message
2232	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2232	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2232	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2232	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2232	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2232	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
3352	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4316	firefox.exe	Misc activity	ET INFO ISO File Downloaded
2232	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2232	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)

Add for printing

No debug info

General Info

https://QO52MMO.filesusr.com/html/1d18f6_ce0791845a37d60cbdcb64934ad6b66d.html?test@test.es

47D1E664A0CA437096A6E4015A77E226

E907A2707923B77CF890298AA1F4EE824B7AD26E

71FA7C830251727E8F2BAF03C6F45DEEF55984C816F729386C5366ECA5E8E248

3:N8aDoo2MOeGGD0PicRumByElHfB5DAaF:2AoHM8G8iVO/UaF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Accesses environment variables (SCRIPT)

Uses base64 encoding (SCRIPT)

SUSPICIOUS

Creates file in the systems drive root

Image mount has been detect

Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

Creates XML DOM element (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Sets XML DOM element text (SCRIPT)

INFO

Reads Microsoft Office registry keys

Application launched itself

Reads security settings of Internet Explorer

Manual execution by a user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings