File name:

melt-stealer

Full analysis: https://app.any.run/tasks/ea0e35cd-70cc-4c19-aa20-532f49f278c7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: November 22, 2025, 01:48:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
stealer
evasion
telegram
arch-doc
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines (4526)
MD5:

D7D46D4BE6336648A016A667DB803727

SHA1:

460FEBEAC110C50A3FC1E63B09C9B10F53BAE541

SHA256:

A934DC7424ECC3D0E20848F36E44D1473B1908761CD41A4021D31F6D91C5EE34

SSDEEP:

6144:9pbfAL95zkdoumWJM66VdJQJLLBnkEVlzoDyWGtbvZJT3CqbMrhryf65NRPaCiel:KkdoumWJM66VdJQJLLBnkEVlzoDyWGtM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • stub.exe (PID: 5580)
    • Steals credentials from Web Browsers

      • stub.exe (PID: 5580)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8232)
      • stub.exe (PID: 5580)
    • Starts CMD.EXE for commands execution

      • stub.exe (PID: 5580)
    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 8196)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7292)
    • Starts application with an unusual extension

      • cmd.exe (PID: 8196)
      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 7944)
    • Checks for external IP

      • svchost.exe (PID: 2276)
      • stub.exe (PID: 5580)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • stub.exe (PID: 5580)
    • Executing commands from a ".bat" file

      • stub.exe (PID: 5580)
    • Reads the date of Windows installation

      • stub.exe (PID: 5580)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7944)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7944)
  • INFO

    • Application launched itself

      • firefox.exe (PID: 7628)
      • firefox.exe (PID: 7596)
      • chrome.exe (PID: 9160)
    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7364)
    • Reads the computer name

      • stub.exe (PID: 5580)
    • Executable content was dropped or overwritten

      • chrome.exe (PID: 4140)
      • chrome.exe (PID: 9112)
      • WinRAR.exe (PID: 8232)
    • Checks supported languages

      • stub.exe (PID: 5580)
      • chcp.com (PID: 7540)
      • chcp.com (PID: 1552)
      • chcp.com (PID: 7820)
    • Reads Environment values

      • stub.exe (PID: 5580)
    • Reads the machine GUID from the registry

      • stub.exe (PID: 5580)
    • Creates files or folders in the user directory

      • stub.exe (PID: 5580)
    • Create files in a temporary directory

      • stub.exe (PID: 5580)
    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 7364)
    • Checks proxy server information

      • stub.exe (PID: 5580)
      • slui.exe (PID: 3028)
    • Changes the display of characters in the console

      • cmd.exe (PID: 8196)
      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 7944)
    • Disables trace logs

      • stub.exe (PID: 5580)
    • Process checks computer location settings

      • stub.exe (PID: 5580)
    • The sample compiled with english language support

      • chrome.exe (PID: 9112)
    • Manual execution by a user

      • chrome.exe (PID: 9160)
      • WinRAR.exe (PID: 8232)
    • Launching a file from the Downloads directory

      • chrome.exe (PID: 9160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

HTML

Title: GitHub - Vorolski/melt-stealer: MeltStealer is a C# data extraction tool that grabs and "steals" files such as passwords, wallets, extensions, files, system information, geolocation, app data, and much more. #stealer #grabber
RoutePattern: /:user_id/:repository
RouteController: files
RouteAction: disambiguate
FetchNonce: v2:a1621068-1437-02cb-3a4c-a622fe6be370
CurrentCatalogServiceHash: f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb
RequestId: 7484:21559F:361C269:2F8B4B8:69210FEB
HtmlSafeNonce: 7d19fef91ba188e4acf86552b4a128d8542a2a820c6a8dc5c821f1ac297a8805
VisitorPayload: eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI3NDg0OjIxNTU5RjozNjFDMjY5OjJGOEI0Qjg6NjkyMTBGRUIiLCJ2aXNpdG9yX2lkIjoiNTQ1Nzk1ODM3NDY3MDkyOTg5OSIsInJlZ2lvbl9lZGdlIjoiZnJhIiwicmVnaW9uX3JlbmRlciI6ImZyYSJ9
VisitorHmac: b8b86526174f55b632e4483fc1445081c66cafa872bef4f9837b59f35aa1de58
HovercardSubjectTag: repository:943025362
GithubKeyboardShortcuts: repository,copilot
GoogleSiteVerification: Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
OctolyticsUrl: https://collector.github.com/github/collect
AnalyticsLocation: /<user-name>/<repo-name>
UserLogin: -
Viewport: width=device-width
Description: MeltStealer is a C# data extraction tool that grabs and "steals" files such as passwords, wallets, extensions, files, system information, geolocation, app data, and much more. #stealer #grabber - Vorolski/melt-stealer
AppleItunesApp: app-id=1477376905, app-argument=https://github.com/Vorolski/melt-stealer
TwitterImage: https://opengraph.githubassets.com/10f58c8041a8d6a5a3606491d16002bb7fbf9bcb8c6e18f5eb12643f7428befe/Vorolski/melt-stealer
TwitterSite: @github
TwitterCard: summary_large_image
TwitterTitle: GitHub - Vorolski/melt-stealer: MeltStealer is a C# data extraction tool that grabs and "steals" files such as passwords, wallets, extensions, files, system information, geolocation, app data, and much more. #stealer #grabber
TwitterDescription: MeltStealer is a C# data extraction tool that grabs and &amp;quot;steals&amp;quot; files such as passwords, wallets, extensions, files, system information, geolocation, app data, and much more. #st...
Hostname: github.com
ExpectedHostname: github.com
HTTPEquivXPjaxVersion: b1d886fee4ec2f4ece826b29745482a378b4b95c0d4e2945aebfee4e8fda00cb
HTTPEquivXPjaxCspVersion: 21a43568025709b66240454fc92d4f09335a96863f8ab1c46b4a07f6a5b67102
HTTPEquivXPjaxCssVersion: 8487fec39c8c06b815832ce80ebd89387f6b3bac9b5498b820bc97b9a51ed30a
HTTPEquivXPjaxJsVersion: 562170f63ae6110bfc19a830b7b6d50318c7bf302491df08ebab941709937724
TurboCacheControl: no-preview
GoImport: github.com/Vorolski/melt-stealer git https://github.com/Vorolski/melt-stealer.git
OctolyticsDimensionUser_id: 201877235
OctolyticsDimensionUser_login: Vorolski
OctolyticsDimensionRepository_id: 943025362
OctolyticsDimensionRepository_nwo: Vorolski/melt-stealer
OctolyticsDimensionRepository_public:
OctolyticsDimensionRepository_is_fork: -
OctolyticsDimensionRepository_network_root_id: 943025362
OctolyticsDimensionRepository_network_root_nwo: Vorolski/melt-stealer
TurboBodyClasses: logged-out env-production page-responsive
DisableTurbo: -
BrowserStatsUrl: https://api.github.com/_private/browser/stats
BrowserErrorsUrl: https://api.github.com/_private/browser/errors
Release: afd78fb4141fe5c51818e0691059e7dc0ae883bb
UiTarget: full
ThemeColor: #1e2327
ColorScheme: light dark
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
50
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1136"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6584,i,15717607376876835975,2100251385821999286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6396 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1552chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4964,i,15717607376876835975,2100251385821999286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5976 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=6500,i,15717607376876835975,2100251385821999286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6516 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2276C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4140"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=5068,i,15717607376876835975,2100251385821999286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=6132 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
4156"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5056,i,15717607376876835975,2100251385821999286,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=4828 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4412"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5228 -prefsLen 45168 -prefMapHandle 5232 -prefMapSize 273045 -jsInitHandle 5236 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5244 -initialChannelId {abf5c747-69aa-408a-b559-ec5c084f3aa7} -parentPid 7628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\msvcp140.dll
5408"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4944 -prefsLen 39120 -prefMapHandle 4948 -prefMapSize 273045 -jsInitHandle 4952 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4960 -initialChannelId {4552d259-284d-4a47-a828-8abd30675c3e} -parentPid 7628 -crashReporter "\\.\pipe\gecko-crash-server-pipe.7628" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
Total events
9 712
Read events
9 677
Write events
35
Delete events
0

Modification events

(PID) Process:(7364) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value:
Word
(PID) Process:(7364) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@wmploc.dll,-102
Value:
Windows Media Player
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\melt-stealer-melt-stealer (1).zip
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8232) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
16
Suspicious files
594
Text files
74
Unknown types
2

Dropped files

PID
Process
Filename
Type
7628firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
7628firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:5152D8F49F1AD4219D935611EFE18437
SHA256:9A6E50715E3C49A43E3D622EDE7E37ECF0767342B3039B8B0AE25BBE4FF6F66E
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7628firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:B30329D7D2CF4258C22F500CBEA218FF
SHA256:C5E20431B116E1DABD383C6855A36E6DAF13E1CC125B83D59EF68B4BCEFB02E6
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:440BF4CD1DC53544031BF149F3BA3EFF
SHA256:CCB326F9D45A6362877B311FE0AA7C5F456B02701B13FD57D884D01293EA4A4F
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-walbinary
MD5:CDE036EB1F7CD9DDB9F9803A0F397C57
SHA256:C0B58B657887A34222F0FA2EEA225FDC2EF8D0CCA84F06F922D03C258ECF49A0
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7628firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\activity-stream.contile.jsonbinary
MD5:AC17AEBE60685BDEE49806E1372536BF
SHA256:3B1281E6C239D482FB9E10680EDCE948C19B6CE5AC5B2771D73091FDE1A3988C
7628firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\bounce-tracking-protection.sqlite-journalbinary
MD5:4D16DB1E7728EB87467E0811C88C0995
SHA256:75500ADA968FD3DC0D16E99E20F1E76E103DC49416C71ADC9E45E2D258897885
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
134
DNS requests
194
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7628
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
US
text
8 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
281 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
281 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
281 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
281 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
282 b
whitelisted
7628
firefox.exe
POST
200
104.18.38.233:80
http://ocsp.sectigo.com/
unknown
binary
472 b
whitelisted
7628
firefox.exe
POST
200
142.250.186.35:80
http://o.pki.goog/s/wr3/prs
US
binary
472 b
whitelisted
8912
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
DE
binary
813 b
whitelisted
7628
firefox.exe
POST
200
142.250.186.35:80
http://o.pki.goog/we2
US
binary
280 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6752
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5596
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5196
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7088
SearchApp.exe
92.123.104.33:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7628
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
7628
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
7628
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7628
firefox.exe
185.199.108.154:443
github.githubassets.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 92.123.104.33
  • 92.123.104.63
  • 92.123.104.52
  • 92.123.104.31
  • 92.123.104.34
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.62
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
mc.prod.ads.prod.webservices.mozgcp.net
  • 34.36.137.203
whitelisted
example.org
  • 23.215.0.133
  • 23.215.0.132
  • 23.220.75.235
  • 23.220.75.238
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2276
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
2276
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2276
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
5580
stub.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2276
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
5580
stub.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2276
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info