File name:

ligma.exe

Full analysis: https://app.any.run/tasks/3946a58a-1a9c-4a3c-a13f-577d4a6150db
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: January 19, 2025, 00:06:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
blankgrabber
pyinstaller
lumma
stealer
growtopia
discordgrabber
generic
susp-powershell
ims-api
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

A3D86FABBA9C330006A1735A15B4093B

SHA1:

F2AD62A418C0AC80CD08C2931F4C751E6ECDF8B2

SHA256:

8FA12A1A416D0B49877BB24CCB1587CC1A3398A88B22D9BCB6E2D534B2ECF30C

SSDEEP:

98304:XJ3mWu8MFZlu/gbH90KU+meINVq6btHfktEzafhOsE+XZ0hHHZPthn6YDEp1QFSq:M4UrAz5o+t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6496)
      • ligma.exe (PID: 6544)

    • BlankGrabber has been detected

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 6584)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6576)
      • ligma.exe (PID: 6544)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 6692)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 6692)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 6692)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 6692)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 6692)

    • Changes settings for real-time protection

      • powershell.exe (PID: 6692)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 6692)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7040)

    • DISCORDGRABBER has been detected (YARA)

      • ligma.exe (PID: 6544)

    • LUMMA has been detected (SURICATA)

      • chrome.exe (PID: 5000)

    • GROWTOPIA has been detected (YARA)

      • ligma.exe (PID: 6544)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • The process drops C-runtime libraries

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • Application launched itself

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6496)

    • Process drops python dynamic module

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • Executable content was dropped or overwritten

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • Reads security settings of Internet Explorer

      • ligma.exe (PID: 6316)

    • Loads Python modules

      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6544)

    • Reads the date of Windows installation

      • ligma.exe (PID: 6316)

    • Starts CMD.EXE for commands execution

      • ligma.exe (PID: 6544)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6576)

    • Found strings related to reading or modifying Windows Defender settings

      • ligma.exe (PID: 6544)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 6584)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 6584)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6576)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • ligma.exe (PID: 6544)

    • Contacting a server suspected of hosting an CnC

      • chrome.exe (PID: 5000)

  • INFO

    • Checks supported languages

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6496)
      • ligma.exe (PID: 6544)
      • MpCmdRun.exe (PID: 7040)

    • Reads the computer name

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6496)
      • ligma.exe (PID: 6544)
      • MpCmdRun.exe (PID: 7040)

    • Reads the machine GUID from the registry

      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6544)

    • Create files in a temporary directory

      • ligma.exe (PID: 6316)
      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)
      • ligma.exe (PID: 6544)
      • MpCmdRun.exe (PID: 7040)

    • The sample compiled with english language support

      • ligma.exe (PID: 6296)
      • ligma.exe (PID: 6496)

    • The process uses the downloaded file

      • ligma.exe (PID: 6316)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6672)
      • powershell.exe (PID: 6692)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6672)
      • powershell.exe (PID: 6692)

    • Process checks computer location settings

      • ligma.exe (PID: 6316)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • ligma.exe (PID: 6544)

    • PyInstaller has been detected (YARA)

      • ligma.exe (PID: 6496)
      • ligma.exe (PID: 6544)

    • Manual execution by a user

      • chrome.exe (PID: 7132)

    • UPX packer has been detected

      • ligma.exe (PID: 6544)

    • Application launched itself

      • chrome.exe (PID: 7132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:07 16:27:09+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.1
ProductVersionNumber: 10.0.22621.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft AuthHost
FileVersion: 10.0.22621.1 (WinBuild.160101.0800)
InternalName: AuthHost
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: AuthHost.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
23
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #BLANKGRABBER ligma.exe ligma.exe no specs #BLANKGRABBER ligma.exe #GROWTOPIA ligma.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs rundll32.exe no specs mpcmdrun.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1816 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2336 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3640"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5212 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3700 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4624"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3268 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5000"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2172 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6296"C:\Users\admin\Downloads\ligma.exe" C:\Users\admin\Downloads\ligma.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft AuthHost
Exit code:
0
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\downloads\ligma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6316"C:\Users\admin\Downloads\ligma.exe" C:\Users\admin\Downloads\ligma.exeligma.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft AuthHost
Exit code:
0
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\downloads\ligma.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6320"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4660 --field-trial-handle=1992,i,4642751097410774871,2237252978400075094,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
31 607
Read events
31 601
Write events
6
Delete events
0

Modification events

(PID) Process:(7132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7132) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7132) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:writeName:C1F
Value:
1
Executable files
114
Suspicious files
19
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_ctypes.pydexecutable
MD5:31859B9A99A29127C4236968B87DBCBB
SHA256:644712C3475BE7F02C2493D75E6A831372D01243ACA61AA8A1418F57E6D0B713
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_queue.pydexecutable
MD5:BEBC7743E8AF7A812908FCB4CDD39168
SHA256:CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:33BBECE432F8DA57F17BF2E396EBAA58
SHA256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:E89CDCD4D95CDA04E4ABBA8193A5B492
SHA256:1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_decimal.pydexecutable
MD5:7CDC590AC9B4FFA52C8223823B648E5C
SHA256:F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:C6024CC04201312F7688A021D25B056D
SHA256:8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_ssl.pydexecutable
MD5:9A7AB96204E505C760921B98E259A572
SHA256:CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\VCRUNTIME140.dllexecutable
MD5:F34EB034AA4A9735218686590CBA2E8B
SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
6296ligma.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_lzma.pydexecutable
MD5:864B22495372FA4D8B18E1C535962AE2
SHA256:FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
44
DNS requests
13
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
ligma.exe
216.58.206.67:443
gstatic.com
GOOGLE
US
whitelisted
5064
SearchApp.exe
2.19.122.58:443
www.bing.com
Akamai International B.V.
DE
whitelisted
7132
chrome.exe
239.255.255.250:1900
whitelisted
5000
chrome.exe
142.250.186.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
5000
chrome.exe
173.194.69.84:443
accounts.google.com
GOOGLE
US
whitelisted
5000
chrome.exe
172.217.16.196:443
www.google.com
GOOGLE
US
whitelisted
7132
chrome.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
gstatic.com
  • 216.58.206.67
whitelisted
www.bing.com
  • 2.19.122.58
  • 2.19.122.32
  • 2.19.122.20
  • 2.19.122.30
  • 2.19.122.39
  • 2.19.122.55
  • 2.19.122.46
  • 2.19.122.47
  • 2.19.122.56
whitelisted
clientservices.googleapis.com
  • 142.250.186.131
whitelisted
accounts.google.com
  • 173.194.69.84
whitelisted
www.google.com
  • 172.217.16.196
whitelisted
update.googleapis.com
  • 172.217.16.195
whitelisted
uncoverit.org
  • 104.21.55.153
  • 172.67.149.47
unknown

Threats

PID
Process
Class
Message
5000
chrome.exe
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (uncoverit .org)
5000
chrome.exe
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (uncoverit .org)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ligma.exe