File name:

LastActivityView..exe

Full analysis: https://app.any.run/tasks/c8c96e01-6b33-4f8c-8e40-f732253db6fa
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 09:06:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blankgrabber
uac
evasion
stealer
discord
pyinstaller
arch-exec
susp-powershell
discordgrabber
generic
growtopia
umbralstealer
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

BE556BD984DF81E2062FE81B55D95FFA

SHA1:

CD8200188427909DE69DE70F6EA8653D660CCCFC

SHA256:

3858CF4E6AE2C2C57249C6A8043BA30B77920455477A0EF739E4612CCC754FF3

SSDEEP:

98304:a6Cn+ZQ7SiyQ/oAozZ3tAnU3fuUfz83bibZgtLSlAcBEk8R36VyfqqQVH68DcDox:uk1Yn44a+tW8XsIstGhRkp/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 5864)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 5864)

    • Adds path to the Windows Defender exclusion list

      • LastActivityView..exe (PID: 4400)
      • cmd.exe (PID: 2236)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 8036)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 4688)

    • Changes settings for real-time protection

      • powershell.exe (PID: 4688)

    • Changes Windows Defender settings

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 2236)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 8036)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 1056)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 4688)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 4688)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 4688)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 4688)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 4688)

    • Actions looks like stealing of personal data

      • LastActivityView..exe (PID: 4400)

    • Steals credentials from Web Browsers

      • LastActivityView..exe (PID: 4400)

    • Create files in the Startup directory

      • LastActivityView..exe (PID: 4400)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7996)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7616)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 2148)

    • UMBRALSTEALER has been detected (YARA)

      • LastActivityView..exe (PID: 4400)

    • DISCORDGRABBER has been detected (YARA)

      • LastActivityView..exe (PID: 4400)

    • GROWTOPIA has been detected (YARA)

      • LastActivityView..exe (PID: 4400)

    • BLANKGRABBER has been detected (SURICATA)

      • LastActivityView..exe (PID: 4400)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)
      • LastActivityView..exe (PID: 4400)

    • Process drops python dynamic module

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)

    • The process drops C-runtime libraries

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)

    • Application launched itself

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 960)
      • cmd.exe (PID: 5504)
      • cmd.exe (PID: 5640)

    • Changes default file association

      • reg.exe (PID: 5864)

    • Starts a Microsoft application from unusual location

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 660)
      • LastActivityView..exe (PID: 5324)
      • LastActivityView..exe (PID: 4400)

    • Executable content was dropped or overwritten

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)
      • LastActivityView..exe (PID: 4400)
      • csc.exe (PID: 7928)

    • Found strings related to reading or modifying Windows Defender settings

      • LastActivityView..exe (PID: 660)
      • LastActivityView..exe (PID: 4400)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 1760)
      • cmd.exe (PID: 2392)

    • Starts CMD.EXE for commands execution

      • LastActivityView..exe (PID: 660)
      • LastActivityView..exe (PID: 4400)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1056)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 2236)
      • cmd.exe (PID: 8036)
      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 7616)
      • cmd.exe (PID: 1760)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 7624)

    • Get information on the list of running processes

      • LastActivityView..exe (PID: 4400)
      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 8164)
      • cmd.exe (PID: 8184)
      • cmd.exe (PID: 7328)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2236)
      • cmd.exe (PID: 1228)
      • cmd.exe (PID: 8036)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 1056)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 1056)

    • The executable file from the user directory is run by the CMD process

      • bound.exe (PID: 5868)
      • rar.exe (PID: 6816)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7256)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 7244)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7824)
      • WMIC.exe (PID: 7972)

    • Checks for external IP

      • LastActivityView..exe (PID: 4400)
      • svchost.exe (PID: 2196)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1764)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 8080)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 920)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7616)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7372)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7616)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7616)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 7800)
      • cmd.exe (PID: 6108)
      • cmd.exe (PID: 8156)
      • cmd.exe (PID: 7780)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7988)

    • Searches for installed software

      • bound.exe (PID: 5868)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7284)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7928)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • LastActivityView..exe (PID: 4400)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 8092)

  • INFO

    • Checks supported languages

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 660)
      • LastActivityView..exe (PID: 4400)
      • LastActivityView..exe (PID: 5324)
      • bound.exe (PID: 5868)
      • tree.com (PID: 7944)
      • tree.com (PID: 4024)
      • tree.com (PID: 7212)
      • tree.com (PID: 5384)
      • tree.com (PID: 7632)
      • tree.com (PID: 5956)
      • csc.exe (PID: 7928)
      • cvtres.exe (PID: 7356)

    • The sample compiled with english language support

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)
      • LastActivityView..exe (PID: 4400)
      • WinRAR.exe (PID: 6576)

    • Reads the computer name

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 5324)
      • LastActivityView..exe (PID: 4400)
      • bound.exe (PID: 5868)

    • Create files in a temporary directory

      • LastActivityView..exe (PID: 5960)
      • LastActivityView..exe (PID: 660)
      • LastActivityView..exe (PID: 4400)
      • LastActivityView..exe (PID: 5324)
      • csc.exe (PID: 7928)
      • cvtres.exe (PID: 7356)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 5864)
      • WMIC.exe (PID: 7256)
      • WMIC.exe (PID: 7824)
      • WMIC.exe (PID: 7972)
      • WMIC.exe (PID: 7988)

    • NirSoft software is detected

      • bound.exe (PID: 5868)

    • Creates files in the program directory

      • LastActivityView..exe (PID: 4400)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7824)

    • Checks the directory tree

      • tree.com (PID: 7944)
      • tree.com (PID: 7212)
      • tree.com (PID: 5384)
      • tree.com (PID: 7632)
      • tree.com (PID: 4024)
      • tree.com (PID: 5956)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7188)
      • powershell.exe (PID: 7196)
      • powershell.exe (PID: 4688)
      • powershell.exe (PID: 8084)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7928)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7804)

    • PyInstaller has been detected (YARA)

      • LastActivityView..exe (PID: 5324)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • LastActivityView..exe (PID: 4400)

    • Manual execution by a user

      • msedge.exe (PID: 2960)
      • WinRAR.exe (PID: 6576)
      • notepad++.exe (PID: 5176)

    • Attempting to use instant messaging service

      • LastActivityView..exe (PID: 4400)

    • Application launched itself

      • msedge.exe (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4400) LastActivityView..exe
Discord-Webhook-Tokens (1)1290704566198861845/xKaQWms8MLpbuL5Z5x-vmKitSd68PH7ayxot7Po7_mZbREK-oYePWcyzbGQ7rPuckFL4
Discord-Info-Links
1290704566198861845/xKaQWms8MLpbuL5Z5x-vmKitSd68PH7ayxot7Po7_mZbREK-oYePWcyzbGQ7rPuckFL4
Get Webhook Infohttps://discord.com/api/webhooks/1290704566198861845/xKaQWms8MLpbuL5Z5x-vmKitSd68PH7ayxot7Po7_mZbREK-oYePWcyzbGQ7rPuckFL4
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:03 02:59:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 100352
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: SQL Client Configuration Utility EXE
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: cliconfg.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: cliconfg.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
316
Monitored processes
178
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #BLANKGRABBER lastactivityview..exe lastactivityview..exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER lastactivityview..exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER lastactivityview..exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs bound.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs svchost.exe reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs netsh.exe no specs powershell.exe no specs wmic.exe no specs systeminfo.exe no specs powershell.exe no specs reg.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe tiworker.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad++.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\Users\admin\Desktop\LastActivityView..exe" C:\Users\admin\Desktop\LastActivityView..exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\lastactivityview..exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
680powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2396 --field-trial-handle=2052,i,9182808355667536236,2452415555966069482,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
960C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\LastActivityView..exe" /f"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1056C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"C:\Windows\System32\cmd.exeLastActivityView..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2052,i,9182808355667536236,2452415555966069482,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
72 310
Read events
72 257
Write events
49
Delete events
4

Modification events

(PID) Process:(5864) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(5608) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(5608) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(5608) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(5608) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(5864) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5864) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5864) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4400) LastActivityView..exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(8004) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31180353
Executable files
77
Suspicious files
576
Text files
104
Unknown types
0

Dropped files

PID
Process
Filename
Type
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_ctypes.pydexecutable
MD5:2401460A376C597EDCE907F31EC67FBC
SHA256:4F3F99B69834C43DAC5C3F309CB0BD56C07E8C2AC555DE4923FA2DDC27801960
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_sqlite3.pydexecutable
MD5:3911AE916C6E4BF99FE3296C3E5828CA
SHA256:3EC855C00585DB0246B56F04D11615304931E03066CB9FC760ED598C34D85A1F
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_hashlib.pydexecutable
MD5:D4C05F1C17AC3EB482B3D86399C9BAAE
SHA256:86BD72B13A47693E605A0DE1112C9998D12E737644E7A101AC396D402E25CF2F
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_decimal.pydexecutable
MD5:DF361EA0C714B1A9D8CF9FCF6A907065
SHA256:F78EE4524EB6E9885B9CBDB125B2F335864F51E9C36DC18FDCCB5050926ADFFE
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_lzma.pydexecutable
MD5:E0FA126B354B796F9735E07E306573E1
SHA256:E0DC01233B16318CD21CA13570B8FDF4808657EC7D0CC3E7656B09CCF563DC3E
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_bz2.pydexecutable
MD5:1D9398C54C80C0EF2F00A67FC7C9A401
SHA256:89006952BEE2B38D1B5C54CC055D8868D06C43E94CD9D9E0D00A716C5F3856FA
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_queue.pydexecutable
MD5:84AA87C6DD11A474BE70149614976B89
SHA256:6066DF940D183CF218A5053100E474D1F96BE0A4E4EE7C09B31EA303FF56E21B
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\_socket.pydexecutable
MD5:1D982F4D97EE5E5D4D89FE94B7841A43
SHA256:368CF569ADC4B8D2C981274F22181FEA6E7CE4FA09B3A5D883B0FF0BA825049D
5960LastActivityView..exeC:\Users\admin\AppData\Local\Temp\_MEI59602\blank.aesbinary
MD5:5EAFE7E2192EECACEEB549E4AB1AB5C7
SHA256:FCB4895D60B37E6054993413401AAB19A51638C1F20E498C2198A28B79D8DB37
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
134
DNS requests
122
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4400
LastActivityView..exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
6436
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6436
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4400
LastActivityView..exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4400
LastActivityView..exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.128
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.3
  • 20.190.160.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
blank-ulerf.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.186.35
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
4400
LastActivityView..exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4400
LastActivityView..exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4400
LastActivityView..exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4400
LastActivityView..exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
780
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
780
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
780
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LastActivityView..exe