File name:

SIGMA.exe

Full analysis: https://app.any.run/tasks/624979b3-b584-41f8-8136-80047ac81c03
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: November 17, 2024, 15:34:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blankgrabber
uac
evasion
websocket
python
discord
exfiltration
stealer
screenshot
pyinstaller
susp-powershell
growtopia
discordgrabber
generic
ims-api
umbralstealer
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

30E6D63F20707C4B9B9A3025432E0046

SHA1:

7B3247927B9C6A48A153F0CAAF383FC5F0720D3A

SHA256:

80214672F15B4F10ED899F566DC70EF28123CB4C1C4D9E2DF08C404414571399

SSDEEP:

98304:Wcda+GmE/ZsG6TRAXfjE+DkVkFOBNdtL/tHfktEzafhOsE+XZ03SA2ibMlq0THN2:Aqxqe6rW44a+bAdjRUbdU4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 5160)
      • SIGMA.exe (PID: 6168)

    • BlankGrabber has been detected

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 2980)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 6680)

    • Adds path to the Windows Defender exclusion list

      • SIGMA.exe (PID: 6168)
      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 6024)
      • cmd.exe (PID: 6028)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 3128)
      • MpCmdRun.exe (PID: 7376)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 1336)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 1336)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 1336)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 1336)

    • Changes settings for real-time protection

      • powershell.exe (PID: 1336)

    • Create files in the Startup directory

      • SIGMA.exe (PID: 6168)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 1336)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 1336)

    • Attempting to use instant messaging service

      • bound.exe (PID: 7028)

    • Steals credentials from Web Browsers

      • SIGMA.exe (PID: 6168)

    • Stealers network behavior

      • bound.exe (PID: 7028)

    • Actions looks like stealing of personal data

      • SIGMA.exe (PID: 6168)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7524)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7480)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7376)

    • DISCORDGRABBER has been detected (YARA)

      • SIGMA.exe (PID: 6168)

    • GROWTOPIA has been detected (YARA)

      • SIGMA.exe (PID: 6168)

    • UMBRALSTEALER has been detected (YARA)

      • SIGMA.exe (PID: 6168)

    • BLANKGRABBER has been detected (SURICATA)

      • SIGMA.exe (PID: 6168)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 5160)
      • SIGMA.exe (PID: 6168)

    • Process drops legitimate windows executable

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)
      • SIGMA.exe (PID: 6168)

    • The process drops C-runtime libraries

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)

    • Process drops python dynamic module

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)

    • Executable content was dropped or overwritten

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)
      • SIGMA.exe (PID: 6168)
      • csc.exe (PID: 7316)

    • Application launched itself

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)

    • Loads Python modules

      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 6168)

    • Changes default file association

      • reg.exe (PID: 6680)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 6324)
      • cmd.exe (PID: 948)

    • Starts CMD.EXE for commands execution

      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 6168)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3648)
      • cmd.exe (PID: 6692)
      • cmd.exe (PID: 7156)

    • Found strings related to reading or modifying Windows Defender settings

      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 6168)

    • Get information on the list of running processes

      • cmd.exe (PID: 6596)
      • SIGMA.exe (PID: 6168)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 1372)
      • cmd.exe (PID: 7252)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 7212)
      • cmd.exe (PID: 7044)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 6024)
      • cmd.exe (PID: 6028)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6024)
      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 3128)
      • cmd.exe (PID: 7244)
      • cmd.exe (PID: 6028)
      • cmd.exe (PID: 7480)
      • cmd.exe (PID: 8080)
      • cmd.exe (PID: 7588)
      • cmd.exe (PID: 5896)
      • cmd.exe (PID: 7328)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • SIGMA.exe (PID: 6168)
      • bound.exe (PID: 7028)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5048)
      • WMIC.exe (PID: 7572)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 920)
      • cmd.exe (PID: 4304)
      • cmd.exe (PID: 6344)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1372)
      • WMIC.exe (PID: 2280)
      • WMIC.exe (PID: 7304)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 3128)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 3128)

    • The executable file from the user directory is run by the CMD process

      • bound.exe (PID: 7028)
      • rar.exe (PID: 8180)

    • The process connected to a server suspected of theft

      • bound.exe (PID: 7028)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7352)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7796)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 7988)
      • cmd.exe (PID: 8080)
      • cmd.exe (PID: 8128)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7480)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7480)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7320)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7480)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7296)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7316)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7524)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1248)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 5444)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • SIGMA.exe (PID: 6168)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 3864)

  • INFO

    • Checks supported languages

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 6168)
      • SIGMA.exe (PID: 5160)

    • Create files in a temporary directory

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 6756)
      • SIGMA.exe (PID: 6168)
      • SIGMA.exe (PID: 5160)

    • Reads the computer name

      • SIGMA.exe (PID: 5580)
      • SIGMA.exe (PID: 5160)

    • The process uses the downloaded file

      • cmd.exe (PID: 5900)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 2980)

    • Creates files in the program directory

      • SIGMA.exe (PID: 6168)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2172)
      • bound.exe (PID: 7028)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4032)
      • powershell.exe (PID: 2648)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 540)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7424)

    • Checks the directory tree

      • tree.com (PID: 7508)
      • tree.com (PID: 7812)
      • tree.com (PID: 7936)
      • tree.com (PID: 8040)
      • tree.com (PID: 8104)
      • tree.com (PID: 8164)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4032)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2648)
      • powershell.exe (PID: 540)
      • powershell.exe (PID: 7816)
      • powershell.exe (PID: 4408)

    • PyInstaller has been detected (YARA)

      • SIGMA.exe (PID: 5160)
      • SIGMA.exe (PID: 6168)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7992)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • SIGMA.exe (PID: 6168)

    • UPX packer has been detected

      • SIGMA.exe (PID: 6168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6168) SIGMA.exe
Discord-Webhook-Tokens (1)1307689967241134131/bjp4xd22CftQBGn8IScCAkJM7pRcY57dh32G9GV1WINv467FARprQfKylTm1AoLr4-Wd
Discord-Info-Links
1307689967241134131/bjp4xd22CftQBGn8IScCAkJM7pRcY57dh32G9GV1WINv467FARprQfKylTm1AoLr4-Wd
Get Webhook Infohttps://discord.com/api/webhooks/1307689967241134131/bjp4xd22CftQBGn8IScCAkJM7pRcY57dh32G9GV1WINv467FARprQfKylTm1AoLr4-Wd
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:17 13:03:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 176640
InitializedDataSize: 93696
UninitializedDataSize: -
EntryPoint: 0xc380
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Registry Editor
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: REGEDIT
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: REGEDIT.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
229
Monitored processes
105
Malicious processes
13
Suspicious processes
9

Behavior graph

Click at the process to see the details
start #BLANKGRABBER sigma.exe conhost.exe no specs sigma.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER sigma.exe conhost.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs reg.exe no specs #BLANKGRABBER sigma.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs wmic.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe no specs bound.exe svchost.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs tasklist.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs tasklist.exe no specs systeminfo.exe no specs reg.exe no specs cmd.exe no specs tree.com no specs powershell.exe no specs netsh.exe no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs cmd.exe no specs tree.com no specs tiworker.exe no specs mpcmdrun.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs getmac.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs rar.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎  ‍ .scr'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616C:\WINDOWS\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"C:\Windows\System32\cmd.exeSIGMA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
920C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"C:\Windows\System32\cmd.exeSIGMA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
948C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"C:\Windows\System32\cmd.exeSIGMA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1248wmic os get CaptionC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1336powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1372wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1372C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeSIGMA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
69 215
Read events
69 189
Write events
22
Delete events
4

Modification events

(PID) Process:(6680) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(2980) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2980) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2980) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2980) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3972) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(3972) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(3972) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(3972) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
(PID) Process:(7028) bound.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\bound_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
117
Suspicious files
16
Text files
56
Unknown types
2

Dropped files

PID
Process
Filename
Type
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_bz2.pydexecutable
MD5:58FC4C56F7F400DE210E98CCB8FDC4B2
SHA256:DFC195EBB59DC5E365EFD3853D72897B8838497E15C0977B6EDB1EB347F13150
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_ctypes.pydexecutable
MD5:79879C679A12FAC03F472463BB8CEFF7
SHA256:8D1A21192112E13913CB77708C105034C5F251D64517017975AF8E0C4999EBA3
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:1C58526D681EFE507DEB8F1935C75487
SHA256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_hashlib.pydexecutable
MD5:D6F123C4453230743ADCC06211236BC0
SHA256:7A904FA6618157C34E24AAAC33FDF84035215D82C08EEC6983C165A49D785DC9
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_queue.pydexecutable
MD5:513DCE65C09B3ABC516687F99A6971D8
SHA256:D4BE41574C3E17792A25793E6F5BF171BAEEB4255C08CB6A5CD7705A91E896FC
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_socket.pydexecutable
MD5:14392D71DFE6D6BDC3EBCDBDE3C4049C
SHA256:A1E39E2386634069070903E2D9C2B51A42CB0D59C20B7BE50EF95C89C268DEB2
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_lzma.pydexecutable
MD5:055EB9D91C42BB228A72BF5B7B77C0C8
SHA256:DE342275A648207BEF9B9662C9829AF222B160975AD8925CC5612CD0F182414E
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:ACCC640D1B06FB8552FE02F823126FF5
SHA256:332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
5580SIGMA.exeC:\Users\admin\AppData\Local\Temp\_MEI55802\_sqlite3.pydexecutable
MD5:8CD40257514A16060D5D882788855B55
SHA256:7D53DF36EE9DA2DF36C2676CFAEA84EE87E7E2A15AD8123F6ABB48717C3BC891
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
31
DNS requests
13
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1588
RUXIMICS.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
101
162.159.130.234:443
https://gateway.discord.gg/?v=9&encording=json
unknown
GET
204
142.250.184.195:443
https://gstatic.com/generate_204
unknown
6168
SIGMA.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
6168
SIGMA.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1588
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.129:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1588
RUXIMICS.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1588
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.163
  • 104.126.37.185
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.170
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.145
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.167
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
blank-qbrhb.in
unknown
ip-api.com
  • 208.95.112.1
shared
gateway.discord.gg
  • 162.159.134.234
  • 162.159.133.234
  • 162.159.136.234
  • 162.159.130.234
  • 162.159.135.234
whitelisted
gstatic.com
  • 216.58.206.67
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2172
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6168
SIGMA.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
2172
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7028
bound.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7028
bound.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
2172
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
7028
bound.exe
Misc activity
ET INFO External IP Lookup Domain (geolocation-db .com) in TLS SNI
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SIGMA.exe