File name:

crypto-hunter.exe

Full analysis: https://app.any.run/tasks/c1ecae03-ac81-4639-939c-cd5650358ed6
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: June 02, 2025, 07:32:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
sfx
dropper
stealer
github
discord
blankgrabber
evasion
telegram
pyinstaller
auto
generic
miner
coinminer
susp-powershell
winring0x64-sys
vuln-driver
ims-api
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

88577C82B441B3B34B45C890E563C24E

SHA1:

2EF0A199494AF2E79430DD0A04C34287CF3C3BD0

SHA256:

EBB40D8C4D54109D0589D468D5BC1D6B2AC2AFE44228A72353376E6D2BC61F1A

SSDEEP:

196608:za7d1OCXImjO2fWFM7f0Ediex846CF9MsAhJEFnoVZJ/:ztCYoOeZf0aHv9wJESZp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SFX dropper has been detected

      • Build.exe (PID: 4220)

    • GENERIC has been found (auto)

      • Build.exe (PID: 4652)
      • s.exe (PID: 5772)

    • Executing a file with an untrusted certificate

      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • based.exe (PID: 4756)
      • hacn.exe (PID: 3100)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)

    • Adds path to the Windows Defender exclusion list

      • based.exe (PID: 4756)
      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 4528)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4272)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7288)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7288)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4272)
      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 4528)
      • setup.exe (PID: 6620)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7288)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7288)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7288)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7288)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7288)

    • Actions looks like stealing of personal data

      • based.exe (PID: 4756)

    • Steals credentials from Web Browsers

      • based.exe (PID: 4756)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 4700)

    • Stealers network behavior

      • based.exe (PID: 4756)

    • BLANKGRABBER has been detected (SURICATA)

      • based.exe (PID: 4756)

    • Adds process to the Windows Defender exclusion list

      • setup.exe (PID: 6620)

    • COINMINER has been found (auto)

      • setup1.exe (PID: 5548)

    • Starts REAGENTC.EXE to disable the Windows Recovery Environment

      • ReAgentc.exe (PID: 7196)

    • Vulnerable driver has been detected

      • updater.exe (PID: 7840)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • crypto-hunter.exe (PID: 5552)
      • based.exe (PID: 516)
      • Build.exe (PID: 4652)
      • hacn.exe (PID: 1452)
      • jB32aoas.exe (PID: 2692)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)
      • svchost.exe (PID: 6192)

    • Executable content was dropped or overwritten

      • crypto-hunter.exe (PID: 5552)
      • hacn.exe (PID: 1452)
      • Build.exe (PID: 4652)
      • based.exe (PID: 4756)
      • based.exe (PID: 516)
      • jB32aoas.exe (PID: 2692)
      • s.exe (PID: 5772)
      • CompPkgSrv.exe (PID: 1852)
      • svchost.exe (PID: 6192)
      • setup.exe (PID: 4652)
      • Dism.exe (PID: 7592)
      • powershell.exe (PID: 6632)
      • Dism.exe (PID: 7296)
      • Dism.exe (PID: 1812)
      • setup0.exe (PID: 7980)
      • setup1.exe (PID: 5548)
      • update.exe (PID: 2148)
      • updater.exe (PID: 7840)

    • Process drops python dynamic module

      • crypto-hunter.exe (PID: 5552)
      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • jB32aoas.exe (PID: 2692)
      • svchost.exe (PID: 6192)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)

    • The process drops C-runtime libraries

      • crypto-hunter.exe (PID: 5552)
      • based.exe (PID: 516)
      • hacn.exe (PID: 1452)
      • jB32aoas.exe (PID: 2692)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)
      • svchost.exe (PID: 6192)

    • Reads security settings of Internet Explorer

      • Build.exe (PID: 4220)
      • Build.exe (PID: 4652)
      • s.exe (PID: 5772)

    • Application launched itself

      • Build.exe (PID: 4220)
      • crypto-hunter.exe (PID: 5552)
      • based.exe (PID: 516)
      • hacn.exe (PID: 1452)
      • cmd.exe (PID: 6876)
      • jB32aoas.exe (PID: 2692)
      • setup.exe (PID: 4652)
      • CompPkgSrv.exe (PID: 1852)
      • svchost.exe (PID: 6192)

    • Loads Python modules

      • hacn.exe (PID: 3100)
      • jB32aoas.exe (PID: 6632)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Starts CMD.EXE for commands execution

      • hacn.exe (PID: 3100)
      • based.exe (PID: 4756)
      • cmd.exe (PID: 6876)
      • svchost.exe (PID: 7892)
      • CompPkgSrv.exe (PID: 7344)

    • Found strings related to reading or modifying Windows Defender settings

      • based.exe (PID: 4756)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 4528)
      • setup.exe (PID: 6620)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6252)
      • cmd.exe (PID: 4272)
      • cmd.exe (PID: 4528)
      • cmd.exe (PID: 7332)
      • cmd.exe (PID: 4648)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 7764)
      • setup.exe (PID: 6620)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4272)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4272)

    • The executable file from the user directory is run by the CMD process

      • bound.exe (PID: 3176)
      • rar.exe (PID: 5800)

    • Get information on the list of running processes

      • based.exe (PID: 4756)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 6344)

    • Potential Corporate Privacy Violation

      • hacn.exe (PID: 3100)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7512)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7520)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 4208)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 8136)
      • cmd.exe (PID: 7832)
      • cmd.exe (PID: 7960)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 3032)
      • WMIC.exe (PID: 7752)
      • WMIC.exe (PID: 7296)

    • There is functionality for taking screenshot (YARA)

      • hacn.exe (PID: 1452)
      • hacn.exe (PID: 3100)
      • svchost.exe (PID: 6192)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)
      • CompPkgSrv.exe (PID: 7344)
      • setup.exe (PID: 6620)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7496)
      • WMIC.exe (PID: 7636)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6640)
      • CompPkgSrv.exe (PID: 7344)

    • Creates file in the systems drive root

      • jB32aoas.exe (PID: 6632)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • based.exe (PID: 4756)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • based.exe (PID: 4756)
      • CompPkgSrv.exe (PID: 7344)

    • The process creates files with name similar to system file names

      • s.exe (PID: 5772)

    • The process checks if current user has admin rights

      • setup.exe (PID: 6620)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 236)

    • Reads the date of Windows installation

      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Reads the BIOS version

      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Script adds exclusion process to Windows Defender

      • setup.exe (PID: 6620)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 8104)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 2124)
      • DismHost.exe (PID: 4620)
      • DismHost.exe (PID: 7800)
      • DismHost.exe (PID: 7704)

    • Manipulates environment variables

      • powershell.exe (PID: 5452)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 8472)
      • powershell.exe (PID: 8652)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 8036)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 6632)

    • Stops a currently running service

      • sc.exe (PID: 7256)
      • sc.exe (PID: 7764)
      • sc.exe (PID: 4268)
      • sc.exe (PID: 3304)
      • sc.exe (PID: 7816)
      • sc.exe (PID: 2432)
      • sc.exe (PID: 2152)
      • sc.exe (PID: 5972)
      • sc.exe (PID: 5332)
      • sc.exe (PID: 2652)
      • sc.exe (PID: 8900)
      • sc.exe (PID: 8920)
      • sc.exe (PID: 8960)
      • sc.exe (PID: 8980)
      • sc.exe (PID: 8940)
      • sc.exe (PID: 9068)
      • sc.exe (PID: 8516)
      • sc.exe (PID: 9096)
      • sc.exe (PID: 9132)
      • sc.exe (PID: 9160)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2104)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 8860)
      • cmd.exe (PID: 8884)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5720)
      • schtasks.exe (PID: 7512)

    • The process executes via Task Scheduler

      • updater.exe (PID: 7840)
      • update.exe (PID: 2148)

    • Removes files via Powershell

      • powershell.exe (PID: 7296)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • CompPkgSrv.exe (PID: 7344)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Drops a system driver (possible attempt to evade defenses)

      • updater.exe (PID: 7840)

  • INFO

    • Reads the computer name

      • crypto-hunter.exe (PID: 5552)
      • Build.exe (PID: 4220)
      • Build.exe (PID: 4652)
      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • based.exe (PID: 4756)
      • MpCmdRun.exe (PID: 4700)
      • hacn.exe (PID: 3100)
      • jB32aoas.exe (PID: 2692)
      • s.exe (PID: 5772)
      • CompPkgSrv.exe (PID: 1852)
      • svchost.exe (PID: 6192)
      • setup.exe (PID: 4652)
      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • The sample compiled with english language support

      • crypto-hunter.exe (PID: 5552)
      • Build.exe (PID: 4652)
      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • based.exe (PID: 4756)
      • jB32aoas.exe (PID: 2692)
      • CompPkgSrv.exe (PID: 1852)
      • setup.exe (PID: 4652)
      • svchost.exe (PID: 6192)
      • powershell.exe (PID: 6632)
      • Dism.exe (PID: 7592)
      • Dism.exe (PID: 1812)
      • Dism.exe (PID: 7296)

    • Create files in a temporary directory

      • crypto-hunter.exe (PID: 5552)
      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • based.exe (PID: 4756)
      • MpCmdRun.exe (PID: 4700)
      • rar.exe (PID: 5800)
      • jB32aoas.exe (PID: 2692)
      • setup.exe (PID: 4652)
      • CompPkgSrv.exe (PID: 1852)
      • svchost.exe (PID: 6192)

    • Reads the machine GUID from the registry

      • crypto-hunter.exe (PID: 2432)
      • based.exe (PID: 4756)
      • hacn.exe (PID: 3100)
      • rar.exe (PID: 5800)
      • jB32aoas.exe (PID: 6632)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Checks supported languages

      • crypto-hunter.exe (PID: 2432)
      • Build.exe (PID: 4652)
      • crypto-hunter.exe (PID: 5552)
      • Build.exe (PID: 4220)
      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • based.exe (PID: 4756)
      • hacn.exe (PID: 3100)
      • MpCmdRun.exe (PID: 4700)
      • rar.exe (PID: 5800)
      • jB32aoas.exe (PID: 2692)
      • s.exe (PID: 5772)
      • CompPkgSrv.exe (PID: 1852)
      • jB32aoas.exe (PID: 6632)
      • svchost.exe (PID: 6192)
      • setup.exe (PID: 4652)
      • setup0.exe (PID: 7980)
      • setup1.exe (PID: 5548)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Process checks computer location settings

      • Build.exe (PID: 4220)
      • Build.exe (PID: 4652)
      • s.exe (PID: 5772)

    • Creates files in the program directory

      • Build.exe (PID: 4652)
      • hacn.exe (PID: 3100)
      • s.exe (PID: 5772)

    • Checks operating system version

      • hacn.exe (PID: 3100)
      • svchost.exe (PID: 7892)
      • CompPkgSrv.exe (PID: 7344)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6324)
      • powershell.exe (PID: 7268)
      • powershell.exe (PID: 7288)
      • powershell.exe (PID: 1176)
      • powershell.exe (PID: 672)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6324)
      • powershell.exe (PID: 7268)
      • powershell.exe (PID: 7288)
      • powershell.exe (PID: 8036)

    • Checks proxy server information

      • hacn.exe (PID: 3100)
      • CompPkgSrv.exe (PID: 7344)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7828)
      • WMIC.exe (PID: 3032)
      • WMIC.exe (PID: 7520)
      • WMIC.exe (PID: 7496)
      • WMIC.exe (PID: 7752)
      • WMIC.exe (PID: 7636)
      • WMIC.exe (PID: 7296)

    • PyInstaller has been detected (YARA)

      • hacn.exe (PID: 1452)
      • based.exe (PID: 516)
      • hacn.exe (PID: 3100)
      • CompPkgSrv.exe (PID: 1852)
      • svchost.exe (PID: 6192)
      • setup.exe (PID: 4652)
      • setup.exe (PID: 6620)
      • CompPkgSrv.exe (PID: 7344)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • based.exe (PID: 4756)

    • Attempting to use instant messaging service

      • based.exe (PID: 4756)
      • svchost.exe (PID: 2196)

    • Reads CPU info

      • CompPkgSrv.exe (PID: 7344)
      • svchost.exe (PID: 7892)

    • Returns hidden items found within a container (POWERSHELL)

      • powershell.exe (PID: 6632)
      • conhost.exe (PID: 5248)
      • powershell.exe (PID: 4020)
      • conhost.exe (PID: 8104)
      • powershell.exe (PID: 5452)
      • conhost.exe (PID: 8056)
      • conhost.exe (PID: 4892)
      • conhost.exe (PID: 7976)
      • conhost.exe (PID: 5324)
      • conhost.exe (PID: 2124)
      • conhost.exe (PID: 4620)
      • conhost.exe (PID: 7632)
      • conhost.exe (PID: 4648)
      • conhost.exe (PID: 7888)
      • powershell.exe (PID: 7296)
      • conhost.exe (PID: 4400)
      • conhost.exe (PID: 8660)
      • conhost.exe (PID: 8868)
      • conhost.exe (PID: 8620)
      • powershell.exe (PID: 8472)
      • conhost.exe (PID: 8480)
      • powershell.exe (PID: 8652)
      • conhost.exe (PID: 8876)
      • conhost.exe (PID: 6344)

    • Manual execution by a user

      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 5452)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 2104)
      • dialer.exe (PID: 7448)
      • schtasks.exe (PID: 5720)
      • dialer.exe (PID: 7300)
      • schtasks.exe (PID: 7512)
      • schtasks.exe (PID: 7260)
      • schtasks.exe (PID: 516)
      • schtasks.exe (PID: 6640)
      • schtasks.exe (PID: 3096)
      • powershell.exe (PID: 8472)
      • firefox.exe (PID: 7704)
      • cmd.exe (PID: 8860)
      • dialer.exe (PID: 9008)
      • schtasks.exe (PID: 8548)
      • powershell.exe (PID: 8652)
      • dialer.exe (PID: 8912)
      • cmd.exe (PID: 8884)
      • dialer.exe (PID: 9196)
      • schtasks.exe (PID: 8660)
      • dialer.exe (PID: 8480)
      • dialer.exe (PID: 8516)

    • Changes the registry key values via Powershell

      • setup.exe (PID: 6620)

    • Returns all items recursively from all subfolders (POWERSHELL)

      • powershell.exe (PID: 7296)

    • Application launched itself

      • firefox.exe (PID: 7704)
      • firefox.exe (PID: 7268)

    • The sample compiled with japanese language support

      • updater.exe (PID: 7840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:08 15:37:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.32
CodeSize: 165888
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xafa0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
317
Monitored processes
186
Malicious processes
30
Suspicious processes
3

Behavior graph

Click at the process to see the details
start crypto-hunter.exe crypto-hunter.exe no specs #DROPPER build.exe no specs #GENERIC build.exe hacn.exe based.exe #BLANKGRABBER based.exe hacn.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs bound.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs jb32aoas.exe #MINER svchost.exe jb32aoas.exe no specs #GENERIC s.exe comppkgsrv.exe svchost.exe setup.exe setup0.exe #COINMINER setup1.exe setup.exe no specs powershell.exe no specs conhost.exe no specs comppkgsrv.exe cmd.exe no specs conhost.exe no specs svchost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs reg.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs dismhost.exe no specs dism.exe dismhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs dism.exe dismhost.exe no specs dism.exe dismhost.exe no specs cmd.exe conhost.exe no specs sc.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs dialer.exe schtasks.exe sc.exe no specs conhost.exe no specs sc.exe no specs schtasks.exe conhost.exe no specs sc.exe no specs dialer.exe schtasks.exe conhost.exe no specs schtasks.exe conhost.exe no specs THREAT updater.exe schtasks.exe conhost.exe no specs schtasks.exe conhost.exe no specs update.exe powershell.exe no specs conhost.exe no specs reagentc.exe no specs powershell.exe no specs conhost.exe no specs rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs slui.exe no specs cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs dialer.exe schtasks.exe conhost.exe no specs dialer.exe dialer.exe cmd.exe conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs dialer.exe schtasks.exe conhost.exe no specs dialer.exe shellexperiencehost.exe no specs systemsettingsbroker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
516"C:\ProgramData\Microsoft\based.exe" C:\ProgramData\Microsoft\based.exe
Build.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Displays NIC MAC information
Exit code:
0
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\programdata\microsoft\based.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
516C:\WINDOWS\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateMachineQC" /xml "C:\Users\admin\AppData\Local\Temp\xcogymxilhvf.xml"C:\Windows\System32\schtasks.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1176powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1184C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"C:\Windows\System32\cmd.exebased.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1452"C:\ProgramData\Microsoft\hacn.exe" C:\ProgramData\Microsoft\hacn.exe
Build.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\microsoft\hacn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1616"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2736 -childID 1 -isForBrowser -prefsHandle 2732 -prefMapHandle 2728 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1432 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfe8d141-0253-4acc-9eaf-53b9443d60d7} 7268 "\\.\pipe\gecko-crash-server-pipe.7268" 1864a8a2f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1812C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exehacn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
123 262
Read events
123 176
Write events
21
Delete events
65

Modification events

(PID) Process:(3100) hacn.exeKey:HKEY_CURRENT_USER\SOFTWARE\GirkinZAvtomatom
Operation:writeName:hohols
Value:
True
(PID) Process:(5772) s.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4784) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
Operation:writeName:ToastEnabled
Value:
0
(PID) Process:(2652) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(4620) DismHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\EnterpriseUninstallBlockList
Operation:delete valueName:Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
Value:
(PID) Process:(6632) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
Operation:delete keyName:(default)
Value:
(PID) Process:(7800) DismHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\EnterpriseUninstallBlockList
Operation:delete valueName:Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
Value:
(PID) Process:(7704) DismHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\EnterpriseUninstallBlockList
Operation:delete valueName:Microsoft.Windows.SecHealthUI_cw5n1h2txyewy
Value:
(PID) Process:(7300) dialer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\dialerconfig\pid
Operation:writeName:svc64
Value:
7300
(PID) Process:(7196) ReAgentc.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
611
Suspicious files
188
Text files
178
Unknown types
2

Dropped files

PID
Process
Filename
Type
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\base_library.zipcompressed
MD5:866832ED5917CF86A813066281BF0214
SHA256:64996668360584314D84D7E4FCD89549715741572E14F6C63E59BE0A40F44647
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\_decimal.pydexecutable
MD5:816CBDB21CB715612CA358F0A2688321
SHA256:45F987F784C7F494C469B5A3938C3A37970AA6BEF4EFAB2D1AC145559CA97508
1452hacn.exeC:\Users\admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140_1.dllexecutable
MD5:135359D350F72AD4BF716B764D39E749
SHA256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\_hashlib.pydexecutable
MD5:47552C83D1890FF91037EECD02B730A2
SHA256:C3024B95F7F1757D9496C8171EACA5F8B9BB8C7CD7F6077077B5AAA1302B0CA4
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\_lzma.pydexecutable
MD5:73EB1D56265F92CEEF7948C5B74A11C1
SHA256:EE390C28C14E0C33A5601F12EB5D04BDFF0ECFB334CE402F4380B8E0EBF7D4DE
1452hacn.exeC:\Users\admin\AppData\Local\Temp\_MEI14522\_cffi_backend.cp310-win_amd64.pydexecutable
MD5:2BAAA98B744915339AE6C016B17C3763
SHA256:4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\_socket.pydexecutable
MD5:26A6147D9FFD545FD80C9ED664D66D06
SHA256:35F18DD2452642CEFB6F883AFC74D560E22AA71BDB6B26E63B076D7EA4246D38
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\libcrypto-1_1.dllexecutable
MD5:C702B01B9D16F58AD711BF53C0C73203
SHA256:49363CBA6A25B49A29C6ADD58258E9FEB1C9531460F2716D463AB364D15120E1
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\python310.dllexecutable
MD5:BBCB74867BD3F8A691B1F0A394336908
SHA256:800B5E9A08C3A0F95A2C6F4A3355DF8BBBC416E716F95BD6D42B6F0D6FB92F41
5552crypto-hunter.exeC:\Users\admin\AppData\Local\Temp\_MEI55522\unicodedata.pydexecutable
MD5:184968E391F7CF291C0995ED0C12AF5E
SHA256:129FEDDB303265F0952092567D92915F1A7BDFC12DEC91F6E8B8A3226CBB8AD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
82
DNS requests
119
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3100
hacn.exe
GET
200
142.250.181.228:80
http://www.google.com/
unknown
whitelisted
4756
based.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
8008
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7268
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
8008
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1088
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4756
based.exe
142.250.185.99:443
gstatic.com
GOOGLE
US
whitelisted
3100
hacn.exe
142.250.181.228:80
www.google.com
GOOGLE
US
whitelisted
3100
hacn.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.31
  • 23.216.77.36
  • 23.216.77.26
  • 23.216.77.42
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
gstatic.com
  • 142.250.185.99
whitelisted
www.google.com
  • 142.250.181.228
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
whitelisted
github.com
  • 140.82.121.3
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.0
  • 40.126.31.130
  • 20.190.159.0
  • 40.126.31.69
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.17
  • 20.190.160.64
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted

Threats

PID
Process
Class
Message
3100
hacn.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Python Suspicious User Agent
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4756
based.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
4756
based.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4756
based.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
4756
based.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
crypto-hunter.exe