File name:

Built.exe

Full analysis: https://app.any.run/tasks/3c6551bd-aec9-4e5a-81b2-93f559e67ee1
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 11:32:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
python
pyinstaller
susp-powershell
discordgrabber
generic
stealer
growtopia
upx
telegram
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

F5C30613BBF54E7AAF8C26EEDD6DEFBD

SHA1:

FD022A5919A6425F524C24E0171B0FCF8D14A04E

SHA256:

42749186A582CF3627E54DE6A347D43580231686200AA8EB41E1D4809AD9A88E

SSDEEP:

98304:9EWUu8MSMCyP6w2H9sKWAUP8cim4XMOxYEhLQT3fISAPD4aP5kY/uvtGAV0PeOHW:I2g0AvXOhp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)

    • BlankGrabber has been detected

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Adds path to the Windows Defender exclusion list

      • Built.exe (PID: 6652)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 6824)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 6752)
      • MpCmdRun.exe (PID: 7524)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 6752)

    • Create files in the Startup directory

      • Built.exe (PID: 6652)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6160)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6540)

    • GROWTOPIA has been detected (YARA)

      • Built.exe (PID: 6652)

    • DISCORDGRABBER has been detected (YARA)

      • Built.exe (PID: 6652)

    • Stealers network behavior

      • Built.exe (PID: 6652)

    • BLANKGRABBER has been detected (SURICATA)

      • Built.exe (PID: 6652)

    • Actions looks like stealing of personal data

      • Built.exe (PID: 6652)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)

    • Process drops legitimate windows executable

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)

    • Process drops python dynamic module

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Application launched itself

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6460)

    • Reads security settings of Internet Explorer

      • Built.exe (PID: 6460)

    • Reads the date of Windows installation

      • Built.exe (PID: 6460)

    • The process drops C-runtime libraries

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)

    • Loads Python modules

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6652)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 6652)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6752)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6752)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 6160)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 6948)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 6500)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 6824)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6752)

    • Starts CMD.EXE for commands execution

      • Built.exe (PID: 6652)

    • Get information on the list of running processes

      • cmd.exe (PID: 7120)
      • cmd.exe (PID: 3356)
      • Built.exe (PID: 6652)
      • cmd.exe (PID: 7144)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6428)
      • cmd.exe (PID: 7404)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 6160)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6160)

    • Starts application with an unusual extension

      • cmd.exe (PID: 360)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 2212)
      • cmd.exe (PID: 876)
      • cmd.exe (PID: 6288)
      • cmd.exe (PID: 6648)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 1172)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 6160)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6284)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7520)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 6816)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7808)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7752)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Built.exe (PID: 6652)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6540)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5032)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Built.exe (PID: 6652)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7928)

  • INFO

    • Reads the computer name

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • MpCmdRun.exe (PID: 7524)

    • Create files in a temporary directory

      • Built.exe (PID: 6432)
      • Built.exe (PID: 6460)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • cvtres.exe (PID: 7304)
      • csc.exe (PID: 7172)
      • MpCmdRun.exe (PID: 7524)
      • rar.exe (PID: 7520)

    • Reads the machine GUID from the registry

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6652)
      • csc.exe (PID: 7172)
      • rar.exe (PID: 7520)

    • Checks supported languages

      • Built.exe (PID: 6460)
      • Built.exe (PID: 6432)
      • Built.exe (PID: 6596)
      • Built.exe (PID: 6652)
      • tree.com (PID: 6156)
      • tree.com (PID: 6772)
      • tree.com (PID: 4104)
      • csc.exe (PID: 7172)
      • tree.com (PID: 6836)
      • tree.com (PID: 7104)
      • tree.com (PID: 6720)
      • cvtres.exe (PID: 7304)
      • MpCmdRun.exe (PID: 7524)
      • rar.exe (PID: 7520)

    • Process checks computer location settings

      • Built.exe (PID: 6460)

    • Creates files in the program directory

      • Built.exe (PID: 6652)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 6300)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6284)
      • WMIC.exe (PID: 7808)
      • WMIC.exe (PID: 4844)
      • WMIC.exe (PID: 7752)
      • WMIC.exe (PID: 5032)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 6884)
      • powershell.exe (PID: 6928)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 6884)
      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 7704)
      • powershell.exe (PID: 7032)

    • PyInstaller has been detected (YARA)

      • Built.exe (PID: 6652)
      • Built.exe (PID: 6596)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Built.exe (PID: 6652)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7916)

    • UPX packer has been detected

      • Built.exe (PID: 6652)

    • Attempting to use instant messaging service

      • Built.exe (PID: 6652)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:07 11:30:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 168960
InitializedDataSize: 93184
UninitializedDataSize: -
EntryPoint: 0xc0d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.449
ProductVersionNumber: 10.0.18362.449
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Ease of Access Dialog Host
FileVersion: 10.0.18362.449 (WinBuild.160101.0800)
InternalName: EaseOfAccessDialog.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: EaseOfAccessDialog.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.449
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
221
Monitored processes
87
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
start #BLANKGRABBER built.exe built.exe no specs THREAT built.exe THREAT built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs powershell.exe no specs tree.com no specs systeminfo.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs csc.exe cvtres.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
360C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
876C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1172C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1964\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2212C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
68 457
Read events
68 446
Write events
11
Delete events
0

Modification events

(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6460) Built.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5988) systeminfo.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\system32\mlang.dll,-4386
Value:
English (United States)
(PID) Process:(6516) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31123645
(PID) Process:(6516) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
Executable files
116
Suspicious files
14
Text files
38
Unknown types
0

Dropped files

PID
Process
Filename
Type
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_queue.pydexecutable
MD5:F9D8B75CCB258B8BC4EEF7311C6D611D
SHA256:B3D9763FC71B001A1A2CC430946933E3832F859EB7857B590F8DAEEF8017179C
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_lzma.pydexecutable
MD5:7C66F33A67FBB4D99041F085EF3C6428
SHA256:32F911E178FA9E4DB9BD797598F84F9896F99E5022F2B76A1589B81F686B0866
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_decimal.pydexecutable
MD5:2030438E4F397A7D4241A701A3CA2419
SHA256:07D7AC065F25AF2C7498D5D93B1551CC43A4D4B5E8FB2F9293B647D0F7BD7C72
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_sqlite3.pydexecutable
MD5:DDE6BAB39ABD5FCE90860584D4E35F49
SHA256:C84E5F739CE046B4582663A3017F31FE9AE5E706E087AC4C5FF11C7BBA07B5F9
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_socket.pydexecutable
MD5:0DD957099CF15D172D0A343886FB7C66
SHA256:8142D92DC7557E8C585EA9EE41146B77864B7529ED464FDF51DFB6D797828A4A
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_hashlib.pydexecutable
MD5:13F99120A244AB62AF1684FBBC5D5A7E
SHA256:11658B52E7166DA976ABEEED78A940D69B2F11F518046877BEA799759A17F58B
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_bz2.pydexecutable
MD5:F6E387F20808828796E876682A328E98
SHA256:8886BD30421C6C6BFAE17847002B9BF4EE4D9EEE1A3BE7369EE66B36E26C372B
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\_ctypes.pydexecutable
MD5:48CE90022E97F72114A95630BA43B8FB
SHA256:5998DE3112A710248D29DF76A05272775BF08A8DBC5A051A7ECB909FEF069635
6432Built.exeC:\Users\admin\AppData\Local\Temp\_MEI64322\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:6A2C0B783D760B433FF8468F77DBBF84
SHA256:9D76C51ED5F676E9436984A7908E0280FB9C7AE4BB2E4D9F1FBBD551884AD096
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
42
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7284
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7240
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6652
Built.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2536
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2872
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6652
Built.exe
142.250.185.227:443
gstatic.com
GOOGLE
US
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5552
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
gstatic.com
  • 142.250.185.227
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.22
  • 92.123.104.35
  • 92.123.104.23
  • 92.123.104.33
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.31
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
th.bing.com
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.22
  • 92.123.104.35
  • 92.123.104.23
  • 92.123.104.33
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.30
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6652
Built.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2256
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
6652
Built.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6652
Built.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Built.exe