File name:

WeMod-Setup.exe

Full analysis: https://app.any.run/tasks/6ac8ba49-5b1a-4c5b-968e-71faea389872
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 15:20:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
stealer
screenshot
blankgrabber
telegram
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B5D9EC4463780FE7FF0CAD5B7E794EC2

SHA1:

69AB8569815E707ACC253A3B1FD98F2559A2C7C0

SHA256:

106E7414F8277F8DC4B666BC1AB54E97B0192E677F4823D3FDD265BF1366F870

SSDEEP:

98304:XwhWmAuO/7MKXKvgAbcuzB+cbdBKKho6yLUmIhmEsgNx/1hdExas3lAKWDgN/RgW:QthMXiz9papGsqjjan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Windows Defender settings

      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 7768)

    • Adds path to the Windows Defender exclusion list

      • VegaStealer_v1.exe (PID: 7728)
      • cmd.exe (PID: 7768)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7776)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7972)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7972)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7972)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7972)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7972)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7972)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7972)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8196)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7352)

    • Steals credentials from Web Browsers

      • VegaStealer_v1.exe (PID: 7728)

    • Actions looks like stealing of personal data

      • VegaStealer_v1.exe (PID: 7728)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7332)

    • BLANKGRABBER has been detected (SURICATA)

      • VegaStealer_v1.exe (PID: 7728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WeMod-Setup.exe (PID: 7440)
      • VegaStealer_v1.exe (PID: 7496)
      • csc.exe (PID: 8976)

    • Reads security settings of Internet Explorer

      • WeMod-Setup.exe (PID: 7440)
      • WeMod_Setup.exe (PID: 7536)

    • Process drops legitimate windows executable

      • VegaStealer_v1.exe (PID: 7496)

    • Reads Microsoft Outlook installation path

      • WeMod_Setup.exe (PID: 7536)

    • Process drops python dynamic module

      • VegaStealer_v1.exe (PID: 7496)

    • The process drops C-runtime libraries

      • VegaStealer_v1.exe (PID: 7496)

    • Get information on the list of running processes

      • VegaStealer_v1.exe (PID: 7728)
      • cmd.exe (PID: 7804)
      • cmd.exe (PID: 7948)
      • cmd.exe (PID: 7792)
      • cmd.exe (PID: 6476)

    • Starts CMD.EXE for commands execution

      • VegaStealer_v1.exe (PID: 7728)

    • Found strings related to reading or modifying Windows Defender settings

      • VegaStealer_v1.exe (PID: 7728)

    • Loads Python modules

      • VegaStealer_v1.exe (PID: 7728)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7768)

    • Application launched itself

      • VegaStealer_v1.exe (PID: 7496)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7776)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 9000)
      • cmd.exe (PID: 7480)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 7308)

    • Reads Internet Explorer settings

      • WeMod_Setup.exe (PID: 7536)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 7896)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 8072)
      • WMIC.exe (PID: 8480)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 7452)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 5376)
      • WMIC.exe (PID: 7352)
      • WMIC.exe (PID: 8848)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7776)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4812)
      • cmd.exe (PID: 8444)
      • cmd.exe (PID: 8620)
      • cmd.exe (PID: 8720)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 8352)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1764)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7352)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7288)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7352)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7352)

    • Checks for external IP

      • VegaStealer_v1.exe (PID: 7728)
      • svchost.exe (PID: 2196)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 5608)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8976)

    • There is functionality for taking screenshot (YARA)

      • VegaStealer_v1.exe (PID: 7496)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 2236)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 632)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 1388)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • VegaStealer_v1.exe (PID: 7728)

  • INFO

    • Reads the computer name

      • WeMod-Setup.exe (PID: 7440)
      • VegaStealer_v1.exe (PID: 7496)
      • WeMod_Setup.exe (PID: 7536)
      • VegaStealer_v1.exe (PID: 7728)
      • MpCmdRun.exe (PID: 7332)

    • Checks supported languages

      • VegaStealer_v1.exe (PID: 7496)
      • WeMod-Setup.exe (PID: 7440)
      • WeMod_Setup.exe (PID: 7536)
      • VegaStealer_v1.exe (PID: 7728)
      • tree.com (PID: 7256)
      • tree.com (PID: 8412)
      • tree.com (PID: 8504)
      • tree.com (PID: 8692)
      • tree.com (PID: 8780)
      • tree.com (PID: 8860)
      • csc.exe (PID: 8976)
      • cvtres.exe (PID: 9184)
      • MpCmdRun.exe (PID: 7332)

    • Create files in a temporary directory

      • WeMod-Setup.exe (PID: 7440)
      • VegaStealer_v1.exe (PID: 7496)
      • VegaStealer_v1.exe (PID: 7728)
      • csc.exe (PID: 8976)
      • WeMod_Setup.exe (PID: 7536)
      • cvtres.exe (PID: 9184)
      • MpCmdRun.exe (PID: 7332)

    • Process checks computer location settings

      • WeMod-Setup.exe (PID: 7440)

    • The sample compiled with english language support

      • VegaStealer_v1.exe (PID: 7496)

    • Reads the machine GUID from the registry

      • WeMod_Setup.exe (PID: 7536)
      • csc.exe (PID: 8976)

    • Reads the software policy settings

      • WeMod_Setup.exe (PID: 7536)

    • Creates files or folders in the user directory

      • WeMod_Setup.exe (PID: 7536)

    • Checks proxy server information

      • WeMod_Setup.exe (PID: 7536)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8072)
      • WMIC.exe (PID: 5376)
      • WMIC.exe (PID: 7352)
      • WMIC.exe (PID: 5608)
      • WMIC.exe (PID: 632)
      • WMIC.exe (PID: 6592)
      • WMIC.exe (PID: 8480)
      • WMIC.exe (PID: 8848)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 1056)

    • Checks the directory tree

      • tree.com (PID: 7256)
      • tree.com (PID: 8504)
      • tree.com (PID: 8412)
      • tree.com (PID: 8692)
      • tree.com (PID: 8780)
      • tree.com (PID: 8860)

    • Reads Environment values

      • WeMod_Setup.exe (PID: 7536)

    • PyInstaller has been detected (YARA)

      • VegaStealer_v1.exe (PID: 7496)

    • Disables trace logs

      • WeMod_Setup.exe (PID: 7536)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7964)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 9080)
      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 2136)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7948)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (75)
.exe | Win64 Executable (generic) (15.3)
.dll | Win32 Dynamic Link Library (generic) (3.6)
.exe | Win32 Executable (generic) (2.5)
.exe | Win16/32 Executable Delphi generic (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 10132992
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: WeMod Setup
CompanyName: WeMod LLC
FileDescription: WeMod Setup
FileVersion: 8.0.0.0
InternalName: WeMod-Setup.exe
LegalCopyright: Copyright © WeMod LLC 2022
LegalTrademarks: -
OriginalFileName: WeMod-Setup.exe
ProductName: WeMod
ProductVersion: 8.0.0.0
AssemblyVersion: 8.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
108
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start wemod-setup.exe vegastealer_v1.exe sppextcomobj.exe no specs wemod_setup.exe slui.exe no specs #BLANKGRABBER vegastealer_v1.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs svchost.exe reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs tree.com no specs conhost.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs systeminfo.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cvtres.exe no specs mpcmdrun.exe no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wemod-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
632wmic os get CaptionC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
780C:\WINDOWS\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1056powershell Get-ClipboardC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1388C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1764C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profile"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2136powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
54 182
Read events
54 162
Write events
20
Delete events
0

Modification events

(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7728) VegaStealer_v1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
61
Suspicious files
41
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
7440WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\WeMod_Setup.exeexecutable
MD5:C51DE991E9F12989F706382423F25829
SHA256:DD49DF1955D1FB85F497B90561488F8B1913401C1A90EF24D07C27B42D1929AC
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
7440WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\VegaStealer_v1.exeexecutable
MD5:243DCA248CABCEFAC70874F55AB362C6
SHA256:2C67E60F81A501036DE89E28887A9103598B69B3EF57BBFE4FE3C4CC418482D5
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_queue.pydexecutable
MD5:6E00E0821BB519333CCFD4E61A83CB38
SHA256:2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_sqlite3.pydexecutable
MD5:CEE93C920951C1169B615CB6330CEDDA
SHA256:FF25BDBEEF34D2AA420A79D3666C2660E7E3E96259D1F450F1AF5268553380EC
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_ssl.pydexecutable
MD5:9B4E74FD1DE0F8A197E4AA1E16749186
SHA256:A4CE52A9E0DADDBBE7A539D1A7EDA787494F2173DDCC92A3FAF43B7CF597452B
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_socket.pydexecutable
MD5:899380B2D48DF53414B974E11BB711E3
SHA256:B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:98340FFD2B1D8AFFEF27D4B1260AEAC5
SHA256:7388A019922E9A0A3D05A8605A5307E3141B39F7D57B7FACA5D34E72ADFD5FA5
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:A00EBD3CF88D668BE6D62A25FA4FB525
SHA256:B44646453584305D4EDF8AB5F5D1ADEA6B9650BD2B75F8486FC275BE52B86433
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_wmi.pydexecutable
MD5:EE33F4C8D17D17AD62925E85097B0109
SHA256:79ADCA5037D9145309D3BD19F7A26F7BB7DA716EE86E01073C6F2A9681E33DAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
29
DNS requests
19
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7536
WeMod_Setup.exe
GET
200
142.250.203.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7536
WeMod_Setup.exe
GET
200
142.250.203.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7728
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
6544
svchost.exe
GET
200
104.78.173.167:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7728
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
9020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
9020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7536
WeMod_Setup.exe
104.22.43.75:443
api.wemod.com
CLOUDFLARENET
whitelisted
7536
WeMod_Setup.exe
142.250.203.99:80
c.pki.goog
GOOGLE
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7728
VegaStealer_v1.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7728
VegaStealer_v1.exe
142.250.203.99:443
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.203.110
whitelisted
api.wemod.com
  • 104.22.43.75
whitelisted
c.pki.goog
  • 142.250.203.99
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
vega-d7pjt.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.203.99
whitelisted

Threats

PID
Process
Class
Message
7728
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7728
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7728
VegaStealer_v1.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7728
VegaStealer_v1.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeMod-Setup.exe