File name:

DDNet.exe

Full analysis: https://app.any.run/tasks/457289af-a050-4bfe-a4f5-4fab26533ae9
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: January 26, 2025, 15:58:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
evasion
uac
stealer
python
susp-powershell
screenshot
discord
pyinstaller
discordgrabber
generic
growtopia
ims-api
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

2923BFF63883D7459FFA7C651DD4A190

SHA1:

D5C0FF9B01BF6125A98F2D52A4BE92B30F6AAB6A

SHA256:

2060DD6B24545773B5315C844C80C96A87346D36F8D74C85B3BA4D6ED5BB8290

SSDEEP:

98304:ZJ3TdFZS715R//GUPVpYSTDtIPtHfktEzafhOsE+XZ0PJQ1knyuNfqqQVH68DcDh:eSotVrhUx44a+Wz6C/I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • BlankGrabber has been detected

      • DDNet.exe (PID: 6592)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 6872)

    • GROWTOPIA has been detected (YARA)

      • DDNet.exe (PID: 4980)

    • Adds path to the Windows Defender exclusion list

      • DDNet.exe (PID: 4980)

    • Actions looks like stealing of personal data

      • DDNet.exe (PID: 4980)

    • DISCORDGRABBER has been detected (YARA)

      • DDNet.exe (PID: 4980)

    • Starts CMD.EXE for self-deleting

      • DDNet.exe (PID: 4980)

    • BLANKGRABBER has been detected (SURICATA)

      • DDNet.exe (PID: 4980)

    • Create files in the Startup directory

      • DDNet.exe (PID: 4980)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Process drops legitimate windows executable

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 4980)

    • Process drops python dynamic module

      • DDNet.exe (PID: 6592)

    • The process drops C-runtime libraries

      • DDNet.exe (PID: 6592)

    • Executable content was dropped or overwritten

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 4980)

    • Application launched itself

      • DDNet.exe (PID: 6592)

    • Starts CMD.EXE for commands execution

      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 4816)

    • Loads Python modules

      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Changes default file association

      • reg.exe (PID: 6872)

    • Found strings related to reading or modifying Windows Defender settings

      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 6900)
      • cmd.exe (PID: 2324)

    • Get information on the list of running processes

      • DDNet.exe (PID: 4980)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • DDNet.exe (PID: 4980)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • DDNet.exe (PID: 4980)

  • INFO

    • Reads the computer name

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 4980)

    • The sample compiled with english language support

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 4980)

    • Create files in a temporary directory

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Checks supported languages

      • DDNet.exe (PID: 6592)
      • DDNet.exe (PID: 6624)
      • DDNet.exe (PID: 4980)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • DDNet.exe (PID: 4980)

    • UPX packer has been detected

      • DDNet.exe (PID: 4980)

    • PyInstaller has been detected (YARA)

      • DDNet.exe (PID: 4980)

    • Creates files in the program directory

      • DDNet.exe (PID: 4980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4980) DDNet.exe
Discord-Webhook-Tokens (1)1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
Discord-Info-Links
1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
Get Webhook Infohttps://discord.com/api/webhooks/1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:26 13:58:45+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.5072
ProductVersionNumber: 10.0.19041.5072
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft® Block Level Backup Engine Service EXE
FileVersion: 10.0.19041.5072 (WinBuild.160101.0800)
InternalName: wbengine.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: wbengine.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.5072
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
260
Monitored processes
22
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #BLANKGRABBER ddnet.exe ddnet.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe #BLANKGRABBER ddnet.exe tiworker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeDDNet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2928wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
3772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4052reg delete hkcu\Software\Classes\ms-settings /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4504\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4816C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"C:\Windows\System32\cmd.exeDDNet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4980"C:\Users\admin\AppData\Local\Temp\DDNet.exe" C:\Users\admin\AppData\Local\Temp\DDNet.exe
DDNet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Block Level Backup Engine Service EXE
Exit code:
0
Version:
10.0.19041.5072 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ddnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
ims-api
(PID) Process(4980) DDNet.exe
Discord-Webhook-Tokens (1)1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
Discord-Info-Links
1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
Get Webhook Infohttps://discord.com/api/webhooks/1332727526950309939/eWzmCTl9gQDB5iTLV3_Ur9UNJdyAuAJoeWZCYFoY_Pk3YAQITHs6H5PiYdODhhrgzGcB
6592"C:\Users\admin\AppData\Local\Temp\DDNet.exe" C:\Users\admin\AppData\Local\Temp\DDNet.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Block Level Backup Engine Service EXE
Exit code:
0
Version:
10.0.19041.5072 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ddnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6624"C:\Users\admin\AppData\Local\Temp\DDNet.exe" C:\Users\admin\AppData\Local\Temp\DDNet.exeDDNet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Block Level Backup Engine Service EXE
Exit code:
0
Version:
10.0.19041.5072 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ddnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
13 578
Read events
13 570
Write events
4
Delete events
4

Modification events

(PID) Process:(4052) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(4052) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(4052) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(4052) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(6872) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(4980) DDNet.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(8120) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31158283
(PID) Process:(8120) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
884853373
Executable files
58
Suspicious files
27
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_decimal.pydexecutable
MD5:9CFB6D9624033002BC19435BAE7FF838
SHA256:41B0B60FE2AA2B63C93D3CE9AB69247D440738EDB4805F18DB3D1DAA6BB3EBFF
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_lzma.pydexecutable
MD5:ADEAA96A07B7B595675D9F351BB7A10C
SHA256:3E749F5FAD4088A83AE3959825DA82F91C44478B4EB74F92387FF50FF1B8647D
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_bz2.pydexecutable
MD5:E1B31198135E45800ED416BD05F8362E
SHA256:43F812A27AF7E3C6876DB1005E0F4FB04DB6AF83A389E5F00B3F25A66F26EB80
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_ctypes.pydexecutable
MD5:B6262F9FBDCA0FE77E96A9EED25E312F
SHA256:1C0F9C3BDC53C2B24D5480858377883A002EB2EBB57769D30649868BFB191998
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_hashlib.pydexecutable
MD5:0B214888FAC908AD036B84E5674539E2
SHA256:A9F24AD79A3D2A71B07F93CD56FC71958109F0D1B79EEBF703C9ED3AC76525FF
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_socket.pydexecutable
MD5:65CD246A4B67CC1EAB796E2572C50295
SHA256:4ECD63F5F111D97C2834000FF5605FAC61F544E949A0D470AAA467ABC10B549C
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_queue.pydexecutable
MD5:766820215F82330F67E248F21668F0B3
SHA256:EF361936929B70EF85E070ED89E55CBDA7837441ACAFEEA7EF7A0BB66ADDEEC6
6592DDNet.exeC:\Users\admin\AppData\Local\Temp\_MEI65922\_sqlite3.pydexecutable
MD5:F018B2C125AA1ECC120F80180402B90B
SHA256:67A887D3E45C8836F8466DC32B1BB8D64C438F24914F9410BC52B02003712443
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
29
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4980
DDNet.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
7520
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7520
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5892
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4980
DDNet.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4980
DDNet.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
4980
DDNet.exe
142.250.186.35:443
gstatic.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:137
whitelisted
7520
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.69
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.75
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
blank-e3eua.in
unknown
ip-api.com
  • 208.95.112.1
shared
gstatic.com
  • 142.250.186.35
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4980
DDNet.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2192
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4980
DDNet.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4980
DDNet.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
4980
DDNet.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DDNet.exe