URL:

https://www.upload.ee/files/16945889/hMinerPTS.zip.html

Full analysis: https://app.any.run/tasks/426a8464-c202-41f9-9509-4a6450d949c2
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 23:50:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
blankgrabber
telegram
stealer
evasion
susp-powershell
Indicators:
MD5:

8545A8738C43292ABA070E11B8A97F8F

SHA1:

313B549D8463C1BAD4B9D859CEDB1FB3692D9039

SHA256:

E09A7647B1787BB6B0B846396A165C4E56EC2A70656A3A266BB0E861540ED8AA

SSDEEP:

3:N8DSLr7MJmUEItGscLQn:2OLr04I8LQn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)
      • crack.exe (PID: 8692)
      • crack.exe (PID: 9044)

    • Create files in the Startup directory

      • Payload.exe (PID: 8524)

    • BlankGrabber has been detected

      • crack.exe (PID: 8384)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7612)

    • Adds path to the Windows Defender exclusion list

      • crack.exe (PID: 9044)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 1812)

    • Changes Windows Defender settings

      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 1812)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7244)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7244)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7244)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7244)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7244)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7244)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7244)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6816)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8300)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 1452)

    • BLANKGRABBER has been detected (SURICATA)

      • crack.exe (PID: 9044)

    • Starts Visual C# compiler

      • file.exe (PID: 2240)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • hMinerPTS.sfx.exe (PID: 3896)
      • crack.exe (PID: 8220)
      • crack.exe (PID: 1132)

    • Reads Microsoft Outlook installation path

      • hMinerPTS.sfx.exe (PID: 3896)

    • Reads Internet Explorer settings

      • hMinerPTS.sfx.exe (PID: 3896)

    • Executable content was dropped or overwritten

      • hMinerPTS.sfx.exe (PID: 3896)
      • crack.exe (PID: 8220)
      • crack.exe (PID: 8384)
      • Payload.exe (PID: 8524)
      • crack.exe (PID: 8692)
      • crack.exe (PID: 9044)
      • csc.exe (PID: 6852)
      • hMinerPTS.exe (PID: 8648)
      • vbc.exe (PID: 7380)

    • Base64-obfuscated command line is found

      • crack.exe (PID: 8220)
      • cmd.exe (PID: 6816)

    • Starts POWERSHELL.EXE for commands execution

      • crack.exe (PID: 8220)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 7936)
      • cmd.exe (PID: 6816)
      • cmd.exe (PID: 300)
      • cmd.exe (PID: 7252)
      • cmd.exe (PID: 4844)
      • cmd.exe (PID: 6148)

    • BASE64 encoded PowerShell command has been detected

      • crack.exe (PID: 8220)
      • cmd.exe (PID: 6816)

    • Process drops legitimate windows executable

      • crack.exe (PID: 8220)
      • crack.exe (PID: 8384)
      • crack.exe (PID: 8692)
      • crack.exe (PID: 9044)

    • Starts a Microsoft application from unusual location

      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)
      • crack.exe (PID: 8692)
      • crack.exe (PID: 9044)

    • Process drops python dynamic module

      • crack.exe (PID: 8384)
      • crack.exe (PID: 8692)

    • Application launched itself

      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)
      • crack.exe (PID: 8692)

    • Reads the date of Windows installation

      • crack.exe (PID: 1132)

    • The process drops C-runtime libraries

      • crack.exe (PID: 8692)
      • crack.exe (PID: 8384)

    • Found strings related to reading or modifying Windows Defender settings

      • crack.exe (PID: 9044)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 1812)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7612)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7612)

    • Get information on the list of running processes

      • crack.exe (PID: 9044)
      • cmd.exe (PID: 7780)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 7332)

    • Starts CMD.EXE for commands execution

      • crack.exe (PID: 9044)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 7468)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 8828)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8508)
      • cmd.exe (PID: 7392)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 5868)
      • cmd.exe (PID: 6108)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6816)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 8932)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6852)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 8884)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7260)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • crack.exe (PID: 9044)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 4112)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 5776)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • crack.exe (PID: 9044)

    • The process executes VB scripts

      • hMinerPTS.exe (PID: 8532)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 660)
      • firefox.exe (PID: 6668)

    • Manual execution by a user

      • WinRAR.exe (PID: 1328)
      • hMinerPTS.sfx.exe (PID: 3896)
      • hMinerPTS.exe (PID: 8648)
      • file.exe (PID: 2240)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1328)

    • Checks supported languages

      • hMinerPTS.sfx.exe (PID: 3896)
      • crack.exe (PID: 8220)
      • Payload.exe (PID: 8524)
      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)

    • Reads the computer name

      • hMinerPTS.sfx.exe (PID: 3896)
      • crack.exe (PID: 8220)
      • Payload.exe (PID: 8524)
      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)

    • Checks proxy server information

      • hMinerPTS.sfx.exe (PID: 3896)

    • Process checks computer location settings

      • hMinerPTS.sfx.exe (PID: 3896)
      • crack.exe (PID: 8220)
      • crack.exe (PID: 1132)

    • Create files in a temporary directory

      • crack.exe (PID: 8220)
      • crack.exe (PID: 8384)
      • crack.exe (PID: 1132)

    • The sample compiled with english language support

      • crack.exe (PID: 8220)
      • crack.exe (PID: 8384)
      • crack.exe (PID: 8692)
      • crack.exe (PID: 9044)

    • Creates files or folders in the user directory

      • Payload.exe (PID: 8524)

    • Reads the machine GUID from the registry

      • Payload.exe (PID: 8524)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7252)

    • Checks the directory tree

      • tree.com (PID: 8304)
      • tree.com (PID: 8884)
      • tree.com (PID: 2136)
      • tree.com (PID: 8904)
      • tree.com (PID: 924)
      • tree.com (PID: 7436)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • powershell.exe (PID: 8584)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 9048)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
262
Monitored processes
127
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winrar.exe hminerpts.sfx.exe crack.exe powershell.exe no specs conhost.exe no specs payload.exe #BLANKGRABBER crack.exe crack.exe no specs crack.exe #BLANKGRABBER crack.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs tasklist.exe no specs netsh.exe no specs tree.com no specs powershell.exe no specs systeminfo.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cvtres.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs hminerpts.exe btcstealer.exe no specs hminerpts.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs vbc.exe conhost.exe no specs cvtres.exe no specs file.exe no specs csc.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"C:\Windows\System32\cmd.execrack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
660"C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.upload.ee/files/16945889/hMinerPTS.zip.html"C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
680"C:\Users\admin\AppData\Local\Temp\BtcStealer.exe" C:\Users\admin\AppData\Local\Temp\BtcStealer.exehMinerPTS.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsFormsApp2
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\btcstealer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
920powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
924tree /A /FC:\Windows\System32\tree.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Tree Walk Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tree.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
960"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 12 -isForBrowser -prefsHandle 5860 -prefMapHandle 6140 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1200 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a48f60-a94f-48ab-9f81-1cecc6fb29a6} 6668 "\\.\pipe\gecko-crash-server-pipe.6668" 12c7664f850 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
1132"C:\Users\admin\AppData\Local\Temp\crack.exe" C:\Users\admin\AppData\Local\Temp\crack.execrack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MDMAgent
Exit code:
0
Version:
10.0.22621.2506 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1184C:\WINDOWS\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"C:\Windows\System32\cmd.execrack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1188powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
1324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2544 -childID 13 -isForBrowser -prefsHandle 764 -prefMapHandle 4040 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1200 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d63c2ae-9af1-489f-a0c6-d706d418af94} 6668 "\\.\pipe\gecko-crash-server-pipe.6668" 12c73113150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
Total events
84 404
Read events
84 303
Write events
97
Delete events
4

Modification events

(PID) Process:(6668) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\hMinerPTS.zip
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
125
Suspicious files
257
Text files
72
Unknown types
0

Dropped files

PID
Process
Filename
Type
6668firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
6668firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6668firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
6668firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
191
DNS requests
234
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
6668
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
6668
firefox.exe
POST
200
2.17.190.73:80
http://status.rapidssl.com/
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/s/we1/kRQ
unknown
whitelisted
6668
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/wr2
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4244
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6668
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
whitelisted
6668
firefox.exe
57.129.39.102:443
www.upload.ee
FR
whitelisted
6668
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
6668
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 72.246.169.155
whitelisted
www.upload.ee
  • 57.129.39.102
  • 2001:41d0:709:6600::
shared
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
example.org
  • 96.7.128.192
  • 23.215.0.133
  • 96.7.128.186
  • 23.215.0.132
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
9044
crack.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
9044
crack.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
9044
crack.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.upload.ee/files/16945889/hMinerPTS.zip.html