URL:

https://bit.ly/4e5FTKk

Full analysis: https://app.any.run/tasks/f107a8d7-d67c-482a-81ca-daed99720fed
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: September 05, 2024, 16:01:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
uac
stealer
pyinstaller
discordgrabber
generic
growtopia
susp-powershell
umbralstealer
evasion
discord
upx
Indicators:
MD5:

22764EB5A4A0836A213C0C55F1B27C5C

SHA1:

D9191B94ED42F0C2D71F6040A3C1264EBDF1EAC3

SHA256:

6B3C92A7CC62B64C80453482C685855FEC4C9931958AD3CDCC746738681FFE38

SSDEEP:

3:N8kVGOn:2UZn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 6836)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 5532)

    • Adds path to the Windows Defender exclusion list

      • Xkone v4.exe (PID: 7984)
      • cmd.exe (PID: 6952)
      • cmd.exe (PID: 7836)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 7140)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7140)
      • MpCmdRun.exe (PID: 7924)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6720)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2252)

    • Actions looks like stealing of personal data

      • Xkone v4.exe (PID: 7984)

    • DISCORDGRABBER has been detected (YARA)

      • Xkone v4.exe (PID: 7984)

    • GROWTOPIA has been detected (YARA)

      • Xkone v4.exe (PID: 7984)

    • UMBRALSTEALER has been detected (YARA)

      • Xkone v4.exe (PID: 7984)

    • Stealers network behavior

      • Xkone v4.exe (PID: 7984)

    • BLANKGRABBER has been detected (SURICATA)

      • Xkone v4.exe (PID: 7984)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 7636)
      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)

    • Executable content was dropped or overwritten

      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)
      • Xkone v4.exe (PID: 7984)
      • csc.exe (PID: 6492)

    • Process drops python dynamic module

      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)

    • Application launched itself

      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)

    • Starts CMD.EXE for commands execution

      • Xkone v4.exe (PID: 7100)
      • Xkone v4.exe (PID: 7984)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1148)
      • cmd.exe (PID: 5096)
      • cmd.exe (PID: 2148)

    • The process drops C-runtime libraries

      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 4444)
      • cmd.exe (PID: 6472)

    • Changes default file association

      • reg.exe (PID: 5532)

    • Found strings related to reading or modifying Windows Defender settings

      • Xkone v4.exe (PID: 7100)
      • Xkone v4.exe (PID: 7984)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7140)
      • cmd.exe (PID: 6952)
      • cmd.exe (PID: 7836)
      • cmd.exe (PID: 7160)
      • cmd.exe (PID: 6720)
      • cmd.exe (PID: 6764)
      • cmd.exe (PID: 6452)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 6776)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 7752)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7140)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7140)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6952)
      • cmd.exe (PID: 7836)

    • Get information on the list of running processes

      • Xkone v4.exe (PID: 7984)
      • cmd.exe (PID: 6956)
      • cmd.exe (PID: 7008)
      • cmd.exe (PID: 2228)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6192)
      • cmd.exe (PID: 6312)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 6764)
      • cmd.exe (PID: 304)
      • cmd.exe (PID: 4824)
      • cmd.exe (PID: 7004)
      • cmd.exe (PID: 8132)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6720)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6720)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6720)

    • The executable file from the user directory is run by the CMD process

      • bound.exe (PID: 7440)
      • rar.exe (PID: 1140)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 3268)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 4316)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7484)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 608)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 7068)
      • cmd.exe (PID: 7836)
      • cmd.exe (PID: 7856)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 2648)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Xkone v4.exe (PID: 7984)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7348)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3708)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 936)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7140)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7976)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 7136)
      • msedge.exe (PID: 7964)

    • Reads Environment values

      • identity_helper.exe (PID: 6980)
      • identity_helper.exe (PID: 1780)

    • Checks supported languages

      • identity_helper.exe (PID: 6980)
      • identity_helper.exe (PID: 1780)
      • Xkone v4.exe (PID: 7100)
      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)
      • Xkone v4.exe (PID: 7984)
      • tree.com (PID: 7192)
      • tree.com (PID: 6928)
      • tree.com (PID: 6932)
      • tree.com (PID: 4688)
      • tree.com (PID: 7980)
      • tree.com (PID: 1608)
      • MpCmdRun.exe (PID: 7924)
      • csc.exe (PID: 6492)
      • rar.exe (PID: 1140)
      • cvtres.exe (PID: 5000)

    • Reads the computer name

      • identity_helper.exe (PID: 1780)
      • identity_helper.exe (PID: 6980)
      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)
      • Xkone v4.exe (PID: 7984)
      • MpCmdRun.exe (PID: 7924)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 7636)
      • msedge.exe (PID: 7524)
      • cmd.exe (PID: 232)

    • Manual execution by a user

      • WinRAR.exe (PID: 7636)
      • Xkone v4.exe (PID: 6928)
      • notepad.exe (PID: 6108)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7636)

    • Create files in a temporary directory

      • Xkone v4.exe (PID: 7100)
      • Xkone v4.exe (PID: 6928)
      • Xkone v4.exe (PID: 5880)
      • Xkone v4.exe (PID: 7984)
      • MpCmdRun.exe (PID: 7924)
      • csc.exe (PID: 6492)
      • rar.exe (PID: 1140)
      • cvtres.exe (PID: 5000)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6108)
      • ComputerDefaults.exe (PID: 6836)
      • WMIC.exe (PID: 7484)
      • WMIC.exe (PID: 8136)
      • WMIC.exe (PID: 7348)
      • WMIC.exe (PID: 936)
      • WMIC.exe (PID: 7976)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6548)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7840)
      • powershell.exe (PID: 7752)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7840)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 3036)
      • powershell.exe (PID: 7880)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6492)
      • rar.exe (PID: 1140)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 6428)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Xkone v4.exe (PID: 7984)

    • PyInstaller has been detected (YARA)

      • Xkone v4.exe (PID: 5880)
      • Xkone v4.exe (PID: 7984)

    • UPX packer has been detected

      • Xkone v4.exe (PID: 7984)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • Xkone v4.exe (PID: 7984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
323
Monitored processes
189
Malicious processes
7
Suspicious processes
5

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe notepad.exe no specs #BLANKGRABBER xkone v4.exe xkone v4.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER xkone v4.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #GROWTOPIA xkone v4.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs bound.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs conhost.exe no specs tree.com no specs powershell.exe no specs systeminfo.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs tree.com no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs csc.exe mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cvtres.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
232C:\WINDOWS\system32\cmd.exe /c "computerdefaults --nouacbypass"C:\Windows\System32\cmd.exeXkone v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
304C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeXkone v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
508wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
568tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
608C:\WINDOWS\system32\cmd.exe /c "taskkill /F /PID 8188"C:\Windows\System32\cmd.exeXkone v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
936wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5868 --field-trial-handle=2304,i,12871211788356512534,664916412254013952,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128taskkill /F /PID 6576C:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1140C:\Users\admin\AppData\Local\Temp\_MEI58802\rar.exe a -r -hp"123" "C:\Users\admin\AppData\Local\Temp\lmkOF.zip" *C:\Users\admin\AppData\Local\Temp\_MEI58802\rar.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\_mei58802\rar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1148C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Downloads\Xkone v4\Xkone v4\Xkone v4.exe" /f"C:\Windows\System32\cmd.exeXkone v4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
67 892
Read events
67 808
Write events
80
Delete events
4

Modification events

(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7136) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
BCCCF5B1F77F2F00
(PID) Process:(7136) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5D2500B2F77F2F00
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459388
Operation:writeName:WindowTabManagerFileMappingId
Value:
{154018A3-AF06-4F0A-84D1-B4A2E767D617}
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459388
Operation:writeName:WindowTabManagerFileMappingId
Value:
{C3CC2B91-FEA2-41CA-8761-B4000412AFED}
(PID) Process:(7136) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\459388
Operation:writeName:WindowTabManagerFileMappingId
Value:
{7783725C-2EE3-4799-BDF2-C313E1D6E013}
(PID) Process:(7136) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A1FE35B2F77F2F00
Executable files
118
Suspicious files
128
Text files
181
Unknown types
4

Dropped files

PID
Process
Filename
Type
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF129f74.TMP
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF129f55.TMP
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF129fa3.TMP
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF129fa3.TMP
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF129fc2.TMP
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7136msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
83
DNS requests
66
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6056
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7700
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7700
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3296
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7984
Xkone v4.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6056
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1828
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5712
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7136
msedge.exe
239.255.255.250:1900
whitelisted
5712
msedge.exe
67.199.248.10:443
bit.ly
GOOGLE-CLOUD-PLATFORM
US
shared
5712
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5712
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5712
msedge.exe
13.107.246.60:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 52.153.155.231
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.60
whitelisted
mega.nz
  • 31.216.145.5
  • 31.216.144.5
whitelisted
bzib.nelreports.net
  • 2.19.126.145
  • 2.19.126.152
whitelisted

Threats

PID
Process
Class
Message
5712
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
5712
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
5712
msedge.exe
Misc activity
ET INFO Observed DNS Query to Filesharing Service (mega .co .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
5712
msedge.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (mega .nz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://bit.ly/4e5FTKk