URL:

https://blackhatrussia.com

Full analysis: https://app.any.run/tasks/d15e526f-a0b3-4d07-abcb-273e3304bcbb
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: December 31, 2024, 18:36:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
stealer
screenshot
evasion
blankgrabber
telegram
python
pyinstaller
susp-powershell
discordgrabber
generic
growtopia
umbralstealer
ims-api
Indicators:
MD5:

0D560D03505F445FC0D4A585FA58FD6B

SHA1:

9FBCBADB90C2FE0312211593F97056698FDB4235

SHA256:

4C0F76F93340EBA7BDF6E70687AF4F99CEB736CA6D93D6AE3EF18E9CD18D3E64

SSDEEP:

3:N8WFWWAKI:2WFRAT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • svchost.exe (PID: 7272)
      • svchost.exe (PID: 2200)

    • BlankGrabber has been detected

      • svchost.exe (PID: 7272)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 6564)

    • Adds path to the Windows Defender exclusion list

      • svchost.exe (PID: 2200)
      • cmd.exe (PID: 6580)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3884)

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 2200)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3884)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3884)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3884)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3884)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3884)

    • Steals credentials from Web Browsers

      • svchost.exe (PID: 2200)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3884)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4188)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5536)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 6148)

    • DISCORDGRABBER has been detected (YARA)

      • svchost.exe (PID: 2200)

    • GROWTOPIA has been detected (YARA)

      • svchost.exe (PID: 2200)

    • UMBRALSTEALER has been detected (YARA)

      • svchost.exe (PID: 2200)

    • BLANKGRABBER has been detected (SURICATA)

      • svchost.exe (PID: 2200)

    • Changes the autorun value in the registry

      • crack.exe (PID: 6560)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • Mars Stealer v6.1.exe (PID: 7296)

    • Reads security settings of Internet Explorer

      • Mars Stealer v6.1.exe (PID: 7296)
      • svchost.exe (PID: 2200)

    • Reads Internet Explorer settings

      • Mars Stealer v6.1.exe (PID: 7296)

    • Executable content was dropped or overwritten

      • Mars Stealer v6.1.exe (PID: 7296)
      • svchost.exe (PID: 7272)
      • crack.exe (PID: 1300)
      • csc.exe (PID: 8808)
      • crack.exe (PID: 6560)
      • crack.exe (PID: 8976)

    • Process drops legitimate windows executable

      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • crack.exe (PID: 8976)

    • The process creates files with name similar to system file names

      • Mars Stealer v6.1.exe (PID: 7296)

    • The process drops C-runtime libraries

      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • crack.exe (PID: 8976)

    • The process drops Mozilla's DLL files

      • Mars Stealer v6.1.exe (PID: 7296)

    • Starts a Microsoft application from unusual location

      • svchost.exe (PID: 7272)
      • svchost.exe (PID: 2200)

    • Process drops python dynamic module

      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • crack.exe (PID: 8976)

    • Reads the date of Windows installation

      • svchost.exe (PID: 2200)

    • Application launched itself

      • svchost.exe (PID: 7272)
      • crack.exe (PID: 1300)
      • crack.exe (PID: 8976)

    • Starts CMD.EXE for commands execution

      • svchost.exe (PID: 2200)

    • Found strings related to reading or modifying Windows Defender settings

      • svchost.exe (PID: 2200)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6580)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6580)
      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 6196)
      • cmd.exe (PID: 5536)
      • cmd.exe (PID: 448)
      • cmd.exe (PID: 7936)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 3436)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6564)

    • Get information on the list of running processes

      • svchost.exe (PID: 2200)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6688)
      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 7864)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4872)
      • cmd.exe (PID: 8316)
      • cmd.exe (PID: 8380)
      • cmd.exe (PID: 8428)
      • cmd.exe (PID: 8572)
      • cmd.exe (PID: 8480)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6564)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6244)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 900)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5536)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5536)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 5536)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6464)
      • cmd.exe (PID: 7584)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 772)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8808)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8512)
      • cmd.exe (PID: 8344)
      • cmd.exe (PID: 8392)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 8884)
      • cmd.exe (PID: 9064)
      • cmd.exe (PID: 8964)
      • cmd.exe (PID: 9172)
      • cmd.exe (PID: 6664)
      • cmd.exe (PID: 8524)
      • cmd.exe (PID: 7240)
      • cmd.exe (PID: 7876)
      • cmd.exe (PID: 7996)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 7068)
      • cmd.exe (PID: 2844)
      • cmd.exe (PID: 6884)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 4188)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7000)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 2280)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 4512)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 5032)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 4468)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7496)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7440)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • svchost.exe (PID: 2200)

    • Loads Python modules

      • crack.exe (PID: 6560)
      • crack.exe (PID: 9092)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • svchost.exe (PID: 2200)
      • crack.exe (PID: 6560)
      • crack.exe (PID: 9092)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • svchost.exe (PID: 2200)

  • INFO

    • The process uses the downloaded file

      • firefox.exe (PID: 6520)
      • WinRAR.exe (PID: 3560)
      • Mars Stealer v6.1.exe (PID: 7296)
      • svchost.exe (PID: 2200)

    • Application launched itself

      • firefox.exe (PID: 6456)
      • firefox.exe (PID: 6520)

    • Manual execution by a user

      • WinRAR.exe (PID: 3560)
      • notepad.exe (PID: 6196)
      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 8976)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3560)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6196)
      • WMIC.exe (PID: 4468)
      • WMIC.exe (PID: 7496)

    • Checks supported languages

      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • svchost.exe (PID: 2200)
      • tree.com (PID: 7208)
      • tree.com (PID: 8336)
      • tree.com (PID: 8396)
      • tree.com (PID: 8452)
      • csc.exe (PID: 8808)
      • tree.com (PID: 8592)
      • cvtres.exe (PID: 8836)
      • tree.com (PID: 8504)
      • MpCmdRun.exe (PID: 6148)
      • crack.exe (PID: 6560)
      • crack.exe (PID: 8976)
      • crack.exe (PID: 9092)

    • Reads the computer name

      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • svchost.exe (PID: 2200)
      • MpCmdRun.exe (PID: 6148)
      • crack.exe (PID: 6560)
      • crack.exe (PID: 9092)
      • crack.exe (PID: 8976)

    • Checks proxy server information

      • Mars Stealer v6.1.exe (PID: 7296)

    • The sample compiled with english language support

      • Mars Stealer v6.1.exe (PID: 7296)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)
      • crack.exe (PID: 8976)

    • Process checks computer location settings

      • Mars Stealer v6.1.exe (PID: 7296)
      • svchost.exe (PID: 2200)

    • Create files in a temporary directory

      • svchost.exe (PID: 7272)
      • crack.exe (PID: 1300)
      • svchost.exe (PID: 2200)
      • csc.exe (PID: 8808)
      • cvtres.exe (PID: 8836)
      • rar.exe (PID: 7000)
      • crack.exe (PID: 8976)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6796)

    • Checks the directory tree

      • tree.com (PID: 8336)
      • tree.com (PID: 8396)
      • tree.com (PID: 7208)
      • tree.com (PID: 8452)
      • tree.com (PID: 8504)
      • tree.com (PID: 8592)

    • PyInstaller has been detected (YARA)

      • crack.exe (PID: 1300)
      • svchost.exe (PID: 7272)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 8808)
      • rar.exe (PID: 7000)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 2076)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 3884)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 6312)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5604)
      • powershell.exe (PID: 3884)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • svchost.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2200) svchost.exe
Telegram-Tokens (1)7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc
Telegram-Info-Links
7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc
Get info about bothttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getMe
Get incoming updateshttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getUpdates
Get webhookhttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/deleteWebhook?drop_pending_updates=true
Telegram-Tokens (1)7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc
Telegram-Info-Links
7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc
Get info about bothttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getMe
Get incoming updateshttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getUpdates
Get webhookhttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7935873257:AAFamPtzeTs1nDPbUCJxQrdZ2vNJmuC6iLc
End-PointsendDocument
Args
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
125
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs winrar.exe notepad.exe no specs mars stealer v6.1.exe crack.exe #BLANKGRABBER svchost.exe conhost.exe no specs #BLANKGRABBER svchost.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs powershell.exe no specs tree.com no specs wmic.exe no specs tasklist.exe no specs netsh.exe no specs systeminfo.exe no specs powershell.exe no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs tiworker.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs mpcmdrun.exe no specs taskkill.exe no specs cmd.exe no specs getmac.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs rar.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs crack.exe crack.exe crack.exe

Process information

PID
CMD
Path
Indicators
Parent process
448C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
624"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6544 -childID 12 -isForBrowser -prefsHandle 6424 -prefMapHandle 6504 -prefsLen 32018 -prefMapSize 244583 -jsInitHandle 1304 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a42e0a-b5b4-43bb-9afa-65e296f4b99e} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 249eb463850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
772WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayNameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
900C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1016powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIERC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1300"C:\Users\admin\Desktop\Mars_Stealer_v6.1\Mars Stealer v6.1\crack.exe" C:\Users\admin\Desktop\Mars_Stealer_v6.1\Mars Stealer v6.1\crack.exe
Mars Stealer v6.1.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\mars_stealer_v6.1\mars stealer v6.1\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1540C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1796"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6384 -childID 14 -isForBrowser -prefsHandle 6472 -prefMapHandle 6824 -prefsLen 32018 -prefMapSize 244583 -jsInitHandle 1304 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab14edb2-772f-4267-84ce-eacd0c749c49} 6520 "\\.\pipe\gecko-crash-server-pipe.6520" 249eb00a310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
1944C:\WINDOWS\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\_MEI72722\rar.exe a -r -hp"adrik123adi" "C:\Users\admin\AppData\Local\Temp\gqhVT.zip" *"C:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2076getmacC:\Windows\System32\getmac.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays NIC MAC information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\getmac.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
72 775
Read events
72 745
Write events
15
Delete events
15

Modification events

(PID) Process:(6520) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:9
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:8
Value:
(PID) Process:(3560) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:7
Value:
Executable files
107
Suspicious files
260
Text files
2 224
Unknown types
7

Dropped files

PID
Process
Filename
Type
6520firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6520firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6520firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
88
TCP/UDP connections
372
DNS requests
324
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
900
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
900
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
POST
200
184.24.77.79:80
http://r11.o.lencr.org/
unknown
whitelisted
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
POST
200
142.250.186.35:80
http://o.pki.goog/s/wr3/jLM
unknown
whitelisted
POST
200
142.250.186.35:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
184.24.77.67:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
184.24.77.67:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
900
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
900
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
172.67.220.246:443
blackhatrussia.com
CLOUDFLARENET
US
malicious
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
34.117.188.166:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.32.185.131
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.155
  • 104.126.37.129
  • 104.126.37.145
  • 104.126.37.152
  • 104.126.37.168
  • 104.126.37.131
  • 104.126.37.153
  • 104.126.37.137
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
blackhatrussia.com
  • 172.67.220.246
  • 104.21.78.120
  • 2606:4700:3032::6815:4e78
  • 2606:4700:3030::ac43:dcf6
malicious
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://blackhatrussia.com