File name:

Built.exe

Full analysis: https://app.any.run/tasks/ea071332-5fd1-4dce-b608-5def15363b8d
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 20:38:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blankgrabber
uac
python
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

90BC635BE9B8F8876580A03C031447B6

SHA1:

6D664711AFE661DEE74385A8B58A0550ACA396AA

SHA256:

F4514A37EB4D040FB4A3E3A5A8D6E40CF481891209AA6A225E6BE7698F94ED2D

SSDEEP:

98304:W1T2QUsyxcXL+aw10YPfpqt3/bqpuzVtHfktEzafhOsE+XZ0+v1VxK8oxyJIj2JL:lmYr+44a+nw29ekoN18E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4724)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 4164)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 5204)

    • BlankGrabber has been detected

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4068)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 1240)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6576)
      • Built.exe (PID: 4724)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3096)

    • Changes Windows Defender settings

      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 6576)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3096)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3096)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3096)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3096)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3096)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3096)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7788)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 4068)
      • Built.exe (PID: 5360)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4724)

    • Process drops python dynamic module

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)

    • Application launched itself

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)

    • Starts CMD.EXE for commands execution

      • Built.exe (PID: 5360)
      • Built.exe (PID: 4724)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 4408)
      • cmd.exe (PID: 6576)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 5332)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 5360)
      • Built.exe (PID: 4724)

    • Changes default file association

      • reg.exe (PID: 5204)

    • Executable content was dropped or overwritten

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4068)

    • Process drops legitimate windows executable

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4068)

    • The process drops C-runtime libraries

      • Built.exe (PID: 4448)
      • Built.exe (PID: 4068)

    • Get information on the list of running processes

      • Built.exe (PID: 4724)
      • cmd.exe (PID: 2420)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6576)
      • cmd.exe (PID: 1240)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6576)

    • Loads Python modules

      • Built.exe (PID: 4724)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 1240)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 1240)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 1012)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 2384)

    • Checks for external IP

      • Built.exe (PID: 4724)
      • svchost.exe (PID: 2196)

  • INFO

    • Checks supported languages

      • Built.exe (PID: 4068)
      • Built.exe (PID: 5360)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4724)

    • Create files in a temporary directory

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4724)
      • MpCmdRun.exe (PID: 7788)
      • Built.exe (PID: 5360)

    • Reads the computer name

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)
      • Built.exe (PID: 4724)

    • The sample compiled with english language support

      • Built.exe (PID: 4068)
      • Built.exe (PID: 4448)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 4164)
      • WMIC.exe (PID: 2384)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 5008)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3096)
      • powershell.exe (PID: 5008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 01:39:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 173568
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.1
ProductVersionNumber: 10.0.26100.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Dism Image Servicing Utility
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
InternalName: dism
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: DISM.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
38
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #BLANKGRABBER built.exe built.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER built.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs svchost.exe mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1012C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2236wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
2384wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2420"C:\WINDOWS\system32\ComputerDefaults.exe" --nouacbypassC:\Windows\System32\ComputerDefaults.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
Total events
12 402
Read events
12 392
Write events
6
Delete events
4

Modification events

(PID) Process:(5204) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(4164) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4164) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4164) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4164) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5344) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(5344) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(5344) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(5344) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
Executable files
114
Suspicious files
5
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\VCRUNTIME140.dllexecutable
MD5:862F820C3251E4CA6FC0AC00E4092239
SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\_lzma.pydexecutable
MD5:042AC1B18A7F6FFF8ED09EC9EFA9E724
SHA256:0F44F360662DAAC7DB8ACBCE44557035E7E170B1309A4931DDE07CFAAD6019A0
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:EB0978A9213E7F6FDD63B2967F02D999
SHA256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\_decimal.pydexecutable
MD5:0E02B5BCDE73A3CC01534FBA80EC0462
SHA256:9E977DDFAD4A9D39AF792B547588C9C6682D35F92FBD44750B539C7C106D0159
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\_queue.pydexecutable
MD5:1073D3147F0D6A1880B78A5A5695FC70
SHA256:7F381A79FBFDBCABEC751773CB211D1B9D36F287AE9F46E07A46D4116F4D5B04
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\_ssl.pydexecutable
MD5:0A56191C7FB0AE4F75DE0859AEBA458F
SHA256:89A674036141ABE2F053E50A4FCD9B5FA58C7A6BB884FDDB512E047D04AC9D51
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:BFFFA7117FD9B1622C66D949BAC3F1D7
SHA256:1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:ACCC640D1B06FB8552FE02F823126FF5
SHA256:332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
4068Built.exeC:\Users\admin\AppData\Local\Temp\_MEI40682\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:EFAD0EE0136532E8E8402770A64C71F9
SHA256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
16
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.168:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4724
Built.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.168:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.31.129:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
6488
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5332
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.168
  • 23.48.23.191
  • 23.48.23.181
  • 23.48.23.183
  • 23.48.23.174
  • 23.48.23.190
  • 23.48.23.167
  • 23.48.23.178
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.129
  • 40.126.31.131
  • 40.126.31.2
  • 40.126.31.128
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.129
  • 20.190.159.75
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
blank-qlbbj.in
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted

Threats

PID
Process
Class
Message
4724
Built.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Built.exe