File name:

LastActivityView..exe

Full analysis: https://app.any.run/tasks/0de2adc9-94d8-40b0-9fb9-bc4871b23313
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 08:52:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
uac
blankgrabber
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

BE556BD984DF81E2062FE81B55D95FFA

SHA1:

CD8200188427909DE69DE70F6EA8653D660CCCFC

SHA256:

3858CF4E6AE2C2C57249C6A8043BA30B77920455477A0EF739E4612CCC754FF3

SSDEEP:

98304:a6Cn+ZQ7SiyQ/oAozZ3tAnU3fuUfz83bibZgtLSlAcBEk8R36VyfqqQVH68DcDox:uk1Yn44a+tW8XsIstGhRkp/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 672)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 5112)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 2432)

    • Adds path to the Windows Defender exclusion list

      • LastActivityView..exe (PID: 6244)
      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 2904)

    • Changes Windows Defender settings

      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 6184)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 5964)

    • Changes settings for real-time protection

      • powershell.exe (PID: 5964)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 5964)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 5964)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 5964)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 5964)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 5964)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7560)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)

    • Process drops python dynamic module

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)

    • Starts a Microsoft application from unusual location

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4920)
      • LastActivityView..exe (PID: 4892)
      • LastActivityView..exe (PID: 6244)

    • Executable content was dropped or overwritten

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)
      • LastActivityView..exe (PID: 6244)

    • The process drops C-runtime libraries

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)

    • Application launched itself

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)

    • Starts CMD.EXE for commands execution

      • LastActivityView..exe (PID: 4920)
      • LastActivityView..exe (PID: 6244)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 5072)
      • cmd.exe (PID: 672)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 1056)

    • Found strings related to reading or modifying Windows Defender settings

      • LastActivityView..exe (PID: 4920)
      • LastActivityView..exe (PID: 6244)

    • Changes default file association

      • reg.exe (PID: 5112)

    • Get information on the list of running processes

      • LastActivityView..exe (PID: 6244)
      • cmd.exe (PID: 3332)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 6184)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 6184)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 2432)

    • The executable file from the user directory is run by the CMD process

      • bound.exe (PID: 1096)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 2432)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4224)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6964)

    • Checks for external IP

      • LastActivityView..exe (PID: 6244)
      • svchost.exe (PID: 2196)

    • Searches for installed software

      • bound.exe (PID: 1096)

    • Reads security settings of Internet Explorer

      • bound.exe (PID: 1096)

    • There is functionality for taking screenshot (YARA)

      • bound.exe (PID: 1096)

  • INFO

    • The sample compiled with english language support

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 6244)
      • LastActivityView..exe (PID: 4892)

    • Create files in a temporary directory

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)
      • LastActivityView..exe (PID: 6244)
      • bound.exe (PID: 1096)

    • Checks supported languages

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4920)
      • LastActivityView..exe (PID: 4892)
      • LastActivityView..exe (PID: 6244)
      • bound.exe (PID: 1096)
      • MpCmdRun.exe (PID: 7560)

    • Reads the computer name

      • LastActivityView..exe (PID: 6436)
      • LastActivityView..exe (PID: 4892)
      • LastActivityView..exe (PID: 6244)
      • bound.exe (PID: 1096)
      • MpCmdRun.exe (PID: 7560)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 672)
      • WMIC.exe (PID: 6964)

    • NirSoft software is detected

      • bound.exe (PID: 1096)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5512)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 5964)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5512)
      • powershell.exe (PID: 2320)
      • powershell.exe (PID: 5964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:03 02:59:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 100352
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: SQL Client Configuration Utility EXE
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: cliconfg.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: cliconfg.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
41
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #BLANKGRABBER lastactivityview..exe lastactivityview..exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe #BLANKGRABBER lastactivityview..exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs lastactivityview..exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs bound.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs svchost.exe mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\LastActivityView..exe" /f"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
672"C:\WINDOWS\system32\ComputerDefaults.exe" --nouacbypassC:\Windows\System32\ComputerDefaults.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020C:\WINDOWS\system32\cmd.exe /c "start bound.exe"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1056C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1096bound.exe C:\Users\admin\AppData\Local\Temp\bound.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
LastActivityView
Exit code:
0
Version:
1.37
Modules
Images
c:\users\admin\appdata\local\temp\bound.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1184C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
19 233
Read events
19 224
Write events
5
Delete events
4

Modification events

(PID) Process:(672) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(672) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(672) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(672) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5112) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(6700) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(6700) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(6700) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(6700) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
Executable files
37
Suspicious files
7
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_bz2.pydexecutable
MD5:1D9398C54C80C0EF2F00A67FC7C9A401
SHA256:89006952BEE2B38D1B5C54CC055D8868D06C43E94CD9D9E0D00A716C5F3856FA
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_decimal.pydexecutable
MD5:DF361EA0C714B1A9D8CF9FCF6A907065
SHA256:F78EE4524EB6E9885B9CBDB125B2F335864F51E9C36DC18FDCCB5050926ADFFE
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_queue.pydexecutable
MD5:84AA87C6DD11A474BE70149614976B89
SHA256:6066DF940D183CF218A5053100E474D1F96BE0A4E4EE7C09B31EA303FF56E21B
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_hashlib.pydexecutable
MD5:D4C05F1C17AC3EB482B3D86399C9BAAE
SHA256:86BD72B13A47693E605A0DE1112C9998D12E737644E7A101AC396D402E25CF2F
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_lzma.pydexecutable
MD5:E0FA126B354B796F9735E07E306573E1
SHA256:E0DC01233B16318CD21CA13570B8FDF4808657EC7D0CC3E7656B09CCF563DC3E
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_socket.pydexecutable
MD5:1D982F4D97EE5E5D4D89FE94B7841A43
SHA256:368CF569ADC4B8D2C981274F22181FEA6E7CE4FA09B3A5D883B0FF0BA825049D
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_ctypes.pydexecutable
MD5:2401460A376C597EDCE907F31EC67FBC
SHA256:4F3F99B69834C43DAC5C3F309CB0BD56C07E8C2AC555DE4923FA2DDC27801960
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_ssl.pydexecutable
MD5:68E9EB3026FA037EE702016B7EB29E1B
SHA256:2AE5C1BDD1E691675BB028EFD5185A4FA517AC46C9EF76AF23C96344455ECC79
6436LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI64362\_sqlite3.pydexecutable
MD5:3911AE916C6E4BF99FE3296C3E5828CA
SHA256:3EC855C00585DB0246B56F04D11615304931E03066CB9FC760ED598C34D85A1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
15
DNS requests
10
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6244
LastActivityView..exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6244
LastActivityView..exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.132
  • 20.190.160.4
  • 40.126.32.76
  • 20.190.160.3
  • 40.126.32.140
  • 40.126.32.74
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
blank-6uqxg.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6244
LastActivityView..exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LastActivityView..exe