File name:

Built.exe

Full analysis: https://app.any.run/tasks/3c6551bd-aec9-4e5a-81b2-93f559e67ee1
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 11:32:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
python
pyinstaller
susp-powershell
discordgrabber
generic
stealer
growtopia
upx
telegram
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

F5C30613BBF54E7AAF8C26EEDD6DEFBD

SHA1:

FD022A5919A6425F524C24E0171B0FCF8D14A04E

SHA256:

42749186A582CF3627E54DE6A347D43580231686200AA8EB41E1D4809AD9A88E

SSDEEP:

98304:9EWUu8MSMCyP6w2H9sKWAUP8cim4XMOxYEhLQT3fISAPD4aP5kY/uvtGAV0PeOHW:I2g0AvXOhp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)

    • BlankGrabber has been detected

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Create files in the Startup directory

      • Built.exe (PID: 6652)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6744)
      • Built.exe (PID: 6652)
      • cmd.exe (PID: 6824)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 6752)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 6752)
      • MpCmdRun.exe (PID: 7524)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6160)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6540)

    • GROWTOPIA has been detected (YARA)

      • Built.exe (PID: 6652)

    • DISCORDGRABBER has been detected (YARA)

      • Built.exe (PID: 6652)

    • BLANKGRABBER has been detected (SURICATA)

      • Built.exe (PID: 6652)

    • Stealers network behavior

      • Built.exe (PID: 6652)

    • Actions looks like stealing of personal data

      • Built.exe (PID: 6652)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6652)
      • Built.exe (PID: 6596)

    • The process drops C-runtime libraries

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Process drops python dynamic module

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Application launched itself

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)

    • Reads security settings of Internet Explorer

      • Built.exe (PID: 6460)

    • Process drops legitimate windows executable

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)

    • Reads the date of Windows installation

      • Built.exe (PID: 6460)

    • Loads Python modules

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6652)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 6652)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6752)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 6160)
      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 6948)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 6500)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6752)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 6744)

    • Starts CMD.EXE for commands execution

      • Built.exe (PID: 6652)

    • Get information on the list of running processes

      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 7144)
      • cmd.exe (PID: 7120)
      • Built.exe (PID: 6652)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6428)
      • cmd.exe (PID: 7404)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6160)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1172)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6160)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6160)

    • Starts application with an unusual extension

      • cmd.exe (PID: 360)
      • cmd.exe (PID: 6648)
      • cmd.exe (PID: 2212)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 876)
      • cmd.exe (PID: 6288)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6284)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7808)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7928)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7752)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7520)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 6816)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Built.exe (PID: 6652)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Built.exe (PID: 6652)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6540)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5032)

  • INFO

    • Reads the computer name

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • MpCmdRun.exe (PID: 7524)

    • Create files in a temporary directory

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • cvtres.exe (PID: 7304)
      • csc.exe (PID: 7172)
      • MpCmdRun.exe (PID: 7524)
      • rar.exe (PID: 7520)

    • Process checks computer location settings

      • Built.exe (PID: 6460)

    • Reads the machine GUID from the registry

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)
      • rar.exe (PID: 7520)

    • Checks supported languages

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6432)
      • Built.exe (PID: 6652)
      • Built.exe (PID: 6596)
      • tree.com (PID: 4104)
      • tree.com (PID: 6836)
      • tree.com (PID: 7104)
      • csc.exe (PID: 7172)
      • tree.com (PID: 6156)
      • tree.com (PID: 6772)
      • tree.com (PID: 6720)
      • MpCmdRun.exe (PID: 7524)
      • cvtres.exe (PID: 7304)
      • rar.exe (PID: 7520)

    • Creates files in the program directory

      • Built.exe (PID: 6652)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6300)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6284)
      • WMIC.exe (PID: 4844)
      • WMIC.exe (PID: 7808)
      • WMIC.exe (PID: 7752)
      • WMIC.exe (PID: 5032)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 6884)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6884)
      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 7032)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Built.exe (PID: 6652)

    • PyInstaller has been detected (YARA)

      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7916)

    • UPX packer has been detected

      • Built.exe (PID: 6652)

    • Attempting to use instant messaging service

      • Built.exe (PID: 6652)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:07 11:30:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.449
ProductVersionNumber: 10.0.18362.449
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Ease of Access Dialog Host
FileVersion: 10.0.18362.449 (WinBuild.160101.0800)
InternalName: EaseOfAccessDialog.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: EaseOfAccessDialog.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.449
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
221
Monitored processes
87
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
start #BLANKGRABBER built.exe built.exe no specs THREAT built.exe THREAT built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs powershell.exe no specs tree.com no specs systeminfo.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs csc.exe cvtres.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
360C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2212C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
68 457
Read events
68 446
Write events
11
Delete events
0

Modification events

(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5988) systeminfo.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\system32\mlang.dll,-4386
Value:
English (United States)
(PID) Process:(6516) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31123645
(PID) Process:(6516) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
116
Suspicious files
14
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_decimal.pydexecutable
MD5:2030438E4F397A7D4241A701A3CA2419
SHA256:07D7AC065F25AF2C7498D5D93B1551CC43A4D4B5E8FB2F9293B647D0F7BD7C72
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:FF461BD0830BC2F35BFFB3FABA52880D
SHA256:74D7E2CEBAE440D2C53EA4863C47D02775DED3603D44CFC66418C492B3F89612
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_ssl.pydexecutable
MD5:A4DBA3F258344390EE9929B93754F673
SHA256:E0AA8CFA2E383820561BCE2AEE35B77A6902FF383076C237C7859CD894D37F49
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_ctypes.pydexecutable
MD5:48CE90022E97F72114A95630BA43B8FB
SHA256:5998DE3112A710248D29DF76A05272775BF08A8DBC5A051A7ECB909FEF069635
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:7235A669254FD5BE893B15338F2D7FC3
SHA256:6CBC74DAE3B82931C0835DFEA8F3D7319E3E5C0AA40FFA5F9C88B7EBA5E6953F
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_socket.pydexecutable
MD5:0DD957099CF15D172D0A343886FB7C66
SHA256:8142D92DC7557E8C585EA9EE41146B77864B7529ED464FDF51DFB6D797828A4A
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:F01D69D7A6E17FED29364349BC140B0E
SHA256:3478A04D9D101250389152F5C9B54DB6047AE4AF230DCCCC41F074FA09571FEC
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_lzma.pydexecutable
MD5:7C66F33A67FBB4D99041F085EF3C6428
SHA256:32F911E178FA9E4DB9BD797598F84F9896F99E5022F2B76A1589B81F686B0866
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:4F4DE51033972D6C2AD7FCC6E030263D
SHA256:417285F8881875CB9CF78B8B5CC7E6EA4BFA7C230F55A191D104F02E46E05B02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
42
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7284
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7240
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6652
Built.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2536
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2872
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6652
Built.exe
142.250.185.227:443
gstatic.com
GOOGLE
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
gstatic.com
  • 142.250.185.227
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.22
  • 92.123.104.35
  • 92.123.104.23
  • 92.123.104.33
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.31
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
th.bing.com
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.22
  • 92.123.104.35
  • 92.123.104.23
  • 92.123.104.33
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.30
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6652
Built.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2256
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
6652
Built.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6652
Built.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Built.exe