File name:

loader.exe

Full analysis: https://app.any.run/tasks/c109be22-a2a3-43ae-812d-e3f25397e2d1
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 18:45:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
trox
stealer
vobfus
worm
evasion
blankgrabber
auto-startup
screenshot
telegram
themida
susp-powershell
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 6 sections
MD5:

7F0570CD5CB65A0B59DF291894BC12CA

SHA1:

3BC43BA820ACFDD99A52E7CF4DB56AAB6BDFF9C3

SHA256:

E42963FB1222BE1F41D72741BAC21CC4E2196173712F8D21ED2B1E2AFDF9D4D8

SSDEEP:

98304:Pv/zJpL268mQnMTVXbH+YK2++3IN/fxO8OD2FnPqyKaPXizDjFKGH2TEwwUYunGA:jPLznIok2Y5tzAt+lUxJm2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 2852)

    • TROX has been detected

      • loader.exe (PID: 3268)

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)

    • BlankGrabber has been detected

      • Built.exe (PID: 4448)
      •  ‌‎ ​.scr (PID: 644)

    • VOBFUS mutex has been found

      • Built.exe (PID: 4188)
      •  ‌‎ ​.scr (PID: 7612)

    • Adds path to the Windows Defender exclusion list

      • Built.exe (PID: 4188)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 4212)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 5964)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 6436)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 6436)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 6436)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6436)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 6436)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 6436)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5964)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 4212)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 6436)

    • Create files in the Startup directory

      • Built.exe (PID: 4188)

    • Steals credentials from Web Browsers

      • Built.exe (PID: 4188)

    • Actions looks like stealing of personal data

      • Built.exe (PID: 4188)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7848)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7560)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 8180)

    • BLANKGRABBER has been detected (SURICATA)

      • Built.exe (PID: 4188)

    • GROWTOPIA has been detected (YARA)

      • Built.exe (PID: 4188)

    • DISCORDGRABBER has been detected (YARA)

      • Built.exe (PID: 4188)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • dwm.exe (PID: 1276)

    • Reads the date of Windows installation

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • dwm.exe (PID: 1276)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • loader.exe (PID: 5392)

    • Reads the BIOS version

      • loader.exe (PID: 3268)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 812)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 812)

    • Process drops legitimate windows executable

      • loader.exe (PID: 3268)
      • dwm.exe (PID: 1276)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)
      •  ‌‎ ​.scr (PID: 644)

    • Process drops python dynamic module

      • loader.exe (PID: 3268)
      • Built.exe (PID: 4448)
      •  ‌‎ ​.scr (PID: 644)

    • Executable content was dropped or overwritten

      • loader.exe (PID: 3268)
      • dwm.exe (PID: 1276)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)
      • loader.exe (PID: 4424)
      •  ‌‎ ​.scr (PID: 644)
      • csc.exe (PID: 7788)

    • Loads Python modules

      • loader.exe (PID: 5332)

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)

    • The process drops C-runtime libraries

      • loader.exe (PID: 3268)
      • Built.exe (PID: 4448)
      •  ‌‎ ​.scr (PID: 644)

    • Starts CMD.EXE for commands execution

      • loader.exe (PID: 5332)
      • Built.exe (PID: 4188)

    • Application launched itself

      • Built.exe (PID: 4448)
      •  ‌‎ ​.scr (PID: 644)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 4188)

    • Get information on the list of running processes

      • Built.exe (PID: 4188)
      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 5048)
      • cmd.exe (PID: 7284)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 5964)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 5964)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5964)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 4212)
      • cmd.exe (PID: 7560)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 7312)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4424)
      • cmd.exe (PID: 7224)
      • cmd.exe (PID: 7868)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6372)
      • WMIC.exe (PID: 7388)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Built.exe (PID: 4188)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 1628)
      • cmd.exe (PID: 3956)
      • cmd.exe (PID: 8180)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 6028)
      • WMIC.exe (PID: 5428)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 4212)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7560)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7560)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7560)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7484)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7640)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 7320)
      • cmd.exe (PID: 7508)
      • cmd.exe (PID: 8136)
      • cmd.exe (PID: 8080)
      •  ‌‎ ​.scr (PID: 644)
      • cmd.exe (PID: 8024)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7464)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7788)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7848)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7648)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 2656)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7692)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 8128)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Built.exe (PID: 4188)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Built.exe (PID: 4188)

  • INFO

    • Reads the computer name

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • dwm.exe (PID: 1276)
      • loader.exe (PID: 5332)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)
      •  ‌‎ ​.scr (PID: 644)
      • MpCmdRun.exe (PID: 8180)

    • Reads the machine GUID from the registry

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • dwm.exe (PID: 1276)
      • Built.exe (PID: 4188)
      •  ‌‎ ​.scr (PID: 7612)
      • csc.exe (PID: 7788)
      • rar.exe (PID: 8128)

    • Process checks computer location settings

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • dwm.exe (PID: 1276)

    • Checks supported languages

      • loader.exe (PID: 5392)
      • loader.exe (PID: 4424)
      • loader.exe (PID: 3268)
      • loader.exe (PID: 5332)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)
      • dwm.exe (PID: 1276)
      • tree.com (PID: 7768)
      • tree.com (PID: 6516)
      •  ‌‎ ​.scr (PID: 644)
      • tree.com (PID: 7788)
      • tree.com (PID: 8072)
      • tree.com (PID: 7468)
      •  ‌‎ ​.scr (PID: 7612)
      • csc.exe (PID: 7788)
      • tree.com (PID: 7440)
      • cvtres.exe (PID: 7728)
      • MpCmdRun.exe (PID: 8180)
      • rar.exe (PID: 8128)

    • Disables trace logs

      • cmstp.exe (PID: 5204)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 5204)

    • Create files in a temporary directory

      • loader.exe (PID: 4424)
      • loader.exe (PID: 3268)
      • dwm.exe (PID: 1276)
      • Built.exe (PID: 4188)
      • Built.exe (PID: 4448)
      •  ‌‎ ​.scr (PID: 644)
      •  ‌‎ ​.scr (PID: 7612)
      • csc.exe (PID: 7788)
      • cvtres.exe (PID: 7728)
      • MpCmdRun.exe (PID: 8180)
      • rar.exe (PID: 8128)

    • Process checks whether UAC notifications are on

      • loader.exe (PID: 3268)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 812)

    • Creates files in the program directory

      • dllhost.exe (PID: 2852)
      • Built.exe (PID: 4188)

    • The sample compiled with english language support

      • loader.exe (PID: 3268)
      • dwm.exe (PID: 1276)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4188)
      •  ‌‎ ​.scr (PID: 644)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6372)
      • WMIC.exe (PID: 6028)
      • WMIC.exe (PID: 5428)
      • WMIC.exe (PID: 7640)
      • WMIC.exe (PID: 2656)
      • WMIC.exe (PID: 5576)
      • WMIC.exe (PID: 7388)

    • Auto-launch of the file from Startup directory

      • Built.exe (PID: 4188)

    • Checks the directory tree

      • tree.com (PID: 8072)
      • tree.com (PID: 7768)
      • tree.com (PID: 7788)
      • tree.com (PID: 6516)
      • tree.com (PID: 7468)
      • tree.com (PID: 7440)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7724)

    • Manual execution by a user

      •  ‌‎ ​.scr (PID: 644)

    • Themida protector has been detected

      • loader.exe (PID: 3268)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 6436)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4336)
      • powershell.exe (PID: 6768)
      • powershell.exe (PID: 6436)
      • powershell.exe (PID: 6416)
      • powershell.exe (PID: 7800)

    • Attempting to use instant messaging service

      • Built.exe (PID: 4188)
      • svchost.exe (PID: 2196)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7916)

    • PyInstaller has been detected (YARA)

      • Built.exe (PID: 4448)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Built.exe (PID: 4188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(4188) Built.exe
Telegram-Tokens (1)7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg
Telegram-Info-Links
7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg
Get info about bothttps://api.telegram.org/bot7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg/getMe
Get incoming updateshttps://api.telegram.org/bot7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg/getUpdates
Get webhookhttps://api.telegram.org/bot7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7988457437:AAEb_TIWN7NuYIwbRK-TZQ6YU6jhqnYbxRg/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:17 13:58:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 14931968
InitializedDataSize: 27648
UninitializedDataSize: -
EntryPoint: 0xe4a00a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: XBinderOutput.exe
LegalCopyright:
OriginalFileName: XBinderOutput.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
121
Malicious processes
12
Suspicious processes
4

Behavior graph

Click at the process to see the details
start loader.exe no specs cmstp.exe no specs CMSTPLUA loader.exe #TROX loader.exe conhost.exe no specs dwm.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs loader.exe no specs cmd.exe no specs #BLANKGRABBER built.exe #GROWTOPIA built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs powershell.exe no specs powershell.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs powershell.exe no specs netsh.exe no specs tree.com no specs powershell.exe no specs cmd.exe no specs systeminfo.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs #BLANKGRABBER  ‌‎ ​.scr cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs #VOBFUS  ‌‎ ​.scr no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs tiworker.exe no specs cvtres.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
644"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎ ​.scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎ ​.scr
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\programdata\microsoft\windows\start menu\programs\startup\ ‌‎ ​.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
812mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")C:\Windows\System32\mshta.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1276"C:\Users\admin\AppData\Local\Temp\dwm.exe" C:\Users\admin\AppData\Local\Temp\dwm.exe
loader.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1628C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2040C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
65 385
Read events
65 368
Write events
17
Delete events
0

Modification events

(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5204) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5204) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(2852) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(2852) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
92
Suspicious files
32
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
4424loader.exeC:\Users\admin\AppData\Local\Temp\loader.exeexecutable
MD5:D1833B094DB1E4C4C11123282365A44A
SHA256:341C5C573350DF8F79D7F2152BB239305B3DF4F87FE18F8EB2CF9DBBB7AEA375
5392loader.exeC:\Windows\Temp\koe3os00.inftext
MD5:E593F6A13F6398F8845CCF8DAB061D95
SHA256:9F2D6D4891596A768E066598786BA77957F1BC104BA3AA27C219B0F2E1C4D5A6
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\loader.exeexecutable
MD5:AE323EB510B9EC30E6870C8FBB63BAF1
SHA256:EDEA8540E67667AAF4FD6A964C026C76C9E8EF1934AC56295DDD8FFEDBD2A2F3
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\_ctypes.pydexecutable
MD5:6A9CA97C039D9BBB7ABF40B53C851198
SHA256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
4424loader.exeC:\Users\admin\AppData\Local\Temp\dwm.exeexecutable
MD5:B24F2421EAA8CA2B7FCA4B7C62F95D13
SHA256:6DA96E2E4BE588CC70ECC998BCCF6319716B1021D5D16A3AD0A78BD5B6280CA9
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\_socket.pydexecutable
MD5:8140BDC5803A4893509F0E39B67158CE
SHA256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\_elementtree.pydexecutable
MD5:63629A705BFFCA85CE6A4539BFBDD760
SHA256:DF71D64818CFECD61AD0122BEA23B685D01BD241F1B06879A2999917818B0787
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:C5E3E5DF803C9A6D906F3859355298E1
SHA256:956773A969A6213F4685C21702B9ED5BD984E063CF8188ACBB6D55B1D6CCBD4E
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:40BA4A99BF4911A3BCA41F5E3412291F
SHA256:AF0E561BB3B2A13AA5CA9DFC9BC53C852BAD85075261AF6EF6825E19E71483A6
3268loader.exeC:\Users\admin\AppData\Local\Temp\onefile_3268_133919811712408409\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:71F1D24C7659171EAFEF4774E5623113
SHA256:C45034620A5BB4A16E7DD0AFF235CC695A5516A4194F4FEC608B89EABD63EEEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
42
DNS requests
16
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4188
Built.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
7968
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7968
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4188
Built.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4188
Built.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
4188
Built.exe
142.250.186.131:443
gstatic.com
GOOGLE
US
whitelisted
7968
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7968
SIHClient.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
7968
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.131
  • 20.190.159.131
  • 40.126.31.67
  • 40.126.31.128
  • 40.126.31.2
whitelisted
skoch-k7sgz.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.186.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
4188
Built.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
4188
Built.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4188
Built.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
4188
Built.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader.exe