File name:

Firefox.exe

Full analysis: https://app.any.run/tasks/477f8495-8dfd-4462-917a-8ba033ba1c9f
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 17, 2026, 15:24:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
upx
babylon
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

29451405F520AF4FE57A7E459FE1ADE9

SHA1:

3DE90BC9BB396932564AE4A04ED3F70FDA7FFD0F

SHA256:

A17E2F106640E3451AF6FAAB503FBBC88B7AECB4AC091FC8CB1266DEA7F1CDB3

SSDEEP:

12288:hd1HbEyfeRvfQF9y31GVpQdZbePtgwWV6AQSXP9yWvbjgUAovmDGdffff5fdfffE:hd1HbEyfeRvIFA3yQdNe1dzAQ2P9yWvi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Firefox.exe (PID: 4692)
      • Leon.exe (PID: 1456)
      • Leon.exe (PID: 7224)
      • Leon.exe (PID: 736)

    • BABYLON has been detected (YARA)

      • Leon.exe (PID: 1456)
      • Leon.exe (PID: 7224)

  • SUSPICIOUS

    • Starts itself from another location

      • Firefox.exe (PID: 4692)

    • Executable content was dropped or overwritten

      • Firefox.exe (PID: 4692)

    • Application launched itself

      • Leon.exe (PID: 7224)

  • INFO

    • Checks supported languages

      • Firefox.exe (PID: 4692)
      • Leon.exe (PID: 7224)
      • Leon.exe (PID: 1456)
      • Leon.exe (PID: 736)

    • Launching a file from a Registry key

      • Leon.exe (PID: 7224)
      • Firefox.exe (PID: 4692)
      • Leon.exe (PID: 1456)
      • Leon.exe (PID: 736)

    • Reads the computer name

      • Leon.exe (PID: 7224)
      • Firefox.exe (PID: 4692)
      • Leon.exe (PID: 1456)
      • Leon.exe (PID: 736)

    • Manual execution by a user

      • Leon.exe (PID: 736)

    • UPX packer has been detected

      • Leon.exe (PID: 7224)
      • Leon.exe (PID: 1456)

    • There is functionality for taking screenshot (YARA)

      • Leon.exe (PID: 7224)
      • Leon.exe (PID: 1456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:07:31 21:07:17+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 364544
InitializedDataSize: 69632
UninitializedDataSize: 512000
EntryPoint: 0xd60e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start firefox.exe #BABYLON leon.exe #BABYLON leon.exe slui.exe leon.exe

Process information

PID
CMD
Path
Indicators
Parent process
736C:\ProgramData\Firefox\Leon.exeC:\ProgramData\Firefox\Leon.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\programdata\firefox\leon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1456"C:\ProgramData\Firefox\Leon.exe" 7224C:\ProgramData\Firefox\Leon.exe
Leon.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\firefox\leon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2436C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4692"C:\Users\admin\Desktop\Firefox.exe" C:\Users\admin\Desktop\Firefox.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7224"C:\ProgramData\Firefox\Leon.exe"C:\ProgramData\Firefox\Leon.exe
Firefox.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\firefox\leon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 388
Read events
4 313
Write events
75
Delete events
0

Modification events

(PID) Process:(4692) Firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:gsx
Value:
C:\ProgramData\Firefox\Leon.exe
(PID) Process:(2436) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(1456) Leon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:gsx
Value:
C:\ProgramData\Firefox\Leon.exe
(PID) Process:(736) Leon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:gsx
Value:
C:\ProgramData\Firefox\Leon.exe
(PID) Process:(7224) Leon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:gsx
Value:
C:\ProgramData\Firefox\Leon.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4692Firefox.exeC:\ProgramData\Firefox\Leon.exeexecutable
MD5:29451405F520AF4FE57A7E459FE1ADE9
SHA256:A17E2F106640E3451AF6FAAB503FBBC88B7AECB4AC091FC8CB1266DEA7F1CDB3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
25
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
48.209.133.15:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
7984
svchost.exe
GET
200
23.216.77.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7984
svchost.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
72.246.29.11:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
2436
slui.exe
POST
500
128.24.231.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
3280
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
3280
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8124
slui.exe
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7984
svchost.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
95.101.23.64:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7984
svchost.exe
23.216.77.14:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7224
Leon.exe
188.114.97.3:20000
gsx.uk.com
CLOUDFLARENET
US
whitelisted
7984
svchost.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
72.246.29.11:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
www.bing.com
  • 95.101.23.64
  • 95.101.23.66
  • 95.101.23.65
  • 95.101.23.73
  • 95.101.23.80
  • 95.101.23.48
  • 95.101.23.72
  • 95.101.23.74
whitelisted
crl.microsoft.com
  • 23.216.77.14
  • 23.216.77.30
  • 23.216.77.37
  • 23.216.77.21
  • 23.216.77.23
  • 23.216.77.15
  • 2.16.164.88
  • 2.16.164.75
  • 2.16.164.113
whitelisted
google.com
  • 142.251.14.138
  • 142.251.14.101
  • 142.251.14.113
  • 142.251.14.102
  • 142.251.14.139
  • 142.251.14.100
whitelisted
gsx.uk.com
  • 188.114.97.3
  • 188.114.96.3
unknown
www.microsoft.com
  • 72.246.29.11
  • 23.52.181.212
whitelisted
settings-win.data.microsoft.com
  • 48.209.133.15
whitelisted
self.events.data.microsoft.com
  • 13.89.179.14
whitelisted

Threats

PID
Process
Class
Message
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Firefox.exe