File name:

WeMod-Setup.exe

Full analysis: https://app.any.run/tasks/6ac8ba49-5b1a-4c5b-968e-71faea389872
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 15:20:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
stealer
screenshot
blankgrabber
telegram
pyinstaller
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B5D9EC4463780FE7FF0CAD5B7E794EC2

SHA1:

69AB8569815E707ACC253A3B1FD98F2559A2C7C0

SHA256:

106E7414F8277F8DC4B666BC1AB54E97B0192E677F4823D3FDD265BF1366F870

SSDEEP:

98304:XwhWmAuO/7MKXKvgAbcuzB+cbdBKKho6yLUmIhmEsgNx/1hdExas3lAKWDgN/RgW:QthMXiz9papGsqjjan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • VegaStealer_v1.exe (PID: 7728)
      • cmd.exe (PID: 7768)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7776)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7776)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7972)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7972)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7972)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7972)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7972)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7972)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7972)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7352)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8196)

    • Actions looks like stealing of personal data

      • VegaStealer_v1.exe (PID: 7728)

    • Steals credentials from Web Browsers

      • VegaStealer_v1.exe (PID: 7728)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 7332)

    • BLANKGRABBER has been detected (SURICATA)

      • VegaStealer_v1.exe (PID: 7728)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • VegaStealer_v1.exe (PID: 7496)

    • Reads security settings of Internet Explorer

      • WeMod_Setup.exe (PID: 7536)
      • WeMod-Setup.exe (PID: 7440)

    • Process drops python dynamic module

      • VegaStealer_v1.exe (PID: 7496)

    • The process drops C-runtime libraries

      • VegaStealer_v1.exe (PID: 7496)

    • Executable content was dropped or overwritten

      • VegaStealer_v1.exe (PID: 7496)
      • WeMod-Setup.exe (PID: 7440)
      • csc.exe (PID: 8976)

    • Reads Microsoft Outlook installation path

      • WeMod_Setup.exe (PID: 7536)

    • Starts CMD.EXE for commands execution

      • VegaStealer_v1.exe (PID: 7728)

    • Application launched itself

      • VegaStealer_v1.exe (PID: 7496)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7768)

    • Get information on the list of running processes

      • VegaStealer_v1.exe (PID: 7728)
      • cmd.exe (PID: 7804)
      • cmd.exe (PID: 7792)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 7948)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7776)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7776)

    • Found strings related to reading or modifying Windows Defender settings

      • VegaStealer_v1.exe (PID: 7728)

    • Loads Python modules

      • VegaStealer_v1.exe (PID: 7728)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7776)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 9000)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 7308)
      • cmd.exe (PID: 7480)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 7896)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 8072)
      • WMIC.exe (PID: 8480)

    • Reads Internet Explorer settings

      • WeMod_Setup.exe (PID: 7536)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 7452)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7352)
      • WMIC.exe (PID: 5376)
      • WMIC.exe (PID: 8848)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1764)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4812)
      • cmd.exe (PID: 8352)
      • cmd.exe (PID: 8444)
      • cmd.exe (PID: 8720)
      • cmd.exe (PID: 8800)
      • cmd.exe (PID: 8620)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7352)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7352)

    • Checks for external IP

      • VegaStealer_v1.exe (PID: 7728)
      • svchost.exe (PID: 2196)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 7288)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7352)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 5608)

    • There is functionality for taking screenshot (YARA)

      • VegaStealer_v1.exe (PID: 7496)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8976)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 2236)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 632)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 1388)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • VegaStealer_v1.exe (PID: 7728)

  • INFO

    • Reads the software policy settings

      • WeMod_Setup.exe (PID: 7536)

    • Process checks computer location settings

      • WeMod-Setup.exe (PID: 7440)

    • Reads the machine GUID from the registry

      • WeMod_Setup.exe (PID: 7536)
      • csc.exe (PID: 8976)

    • Checks supported languages

      • WeMod-Setup.exe (PID: 7440)
      • WeMod_Setup.exe (PID: 7536)
      • VegaStealer_v1.exe (PID: 7496)
      • tree.com (PID: 7256)
      • tree.com (PID: 8412)
      • tree.com (PID: 8504)
      • tree.com (PID: 8692)
      • tree.com (PID: 8780)
      • tree.com (PID: 8860)
      • cvtres.exe (PID: 9184)
      • csc.exe (PID: 8976)
      • MpCmdRun.exe (PID: 7332)
      • VegaStealer_v1.exe (PID: 7728)

    • Create files in a temporary directory

      • WeMod-Setup.exe (PID: 7440)
      • VegaStealer_v1.exe (PID: 7496)
      • VegaStealer_v1.exe (PID: 7728)
      • WeMod_Setup.exe (PID: 7536)
      • csc.exe (PID: 8976)
      • cvtres.exe (PID: 9184)
      • MpCmdRun.exe (PID: 7332)

    • Reads the computer name

      • WeMod-Setup.exe (PID: 7440)
      • VegaStealer_v1.exe (PID: 7496)
      • WeMod_Setup.exe (PID: 7536)
      • VegaStealer_v1.exe (PID: 7728)
      • MpCmdRun.exe (PID: 7332)

    • The sample compiled with english language support

      • VegaStealer_v1.exe (PID: 7496)

    • Creates files or folders in the user directory

      • WeMod_Setup.exe (PID: 7536)

    • Checks proxy server information

      • WeMod_Setup.exe (PID: 7536)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8072)
      • WMIC.exe (PID: 5376)
      • WMIC.exe (PID: 5608)
      • WMIC.exe (PID: 632)
      • WMIC.exe (PID: 6592)
      • WMIC.exe (PID: 8480)
      • WMIC.exe (PID: 7352)
      • WMIC.exe (PID: 8848)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 1056)

    • Checks the directory tree

      • tree.com (PID: 7256)
      • tree.com (PID: 8412)
      • tree.com (PID: 8692)
      • tree.com (PID: 8504)
      • tree.com (PID: 8780)
      • tree.com (PID: 8860)

    • Reads Environment values

      • WeMod_Setup.exe (PID: 7536)

    • Disables trace logs

      • WeMod_Setup.exe (PID: 7536)

    • PyInstaller has been detected (YARA)

      • VegaStealer_v1.exe (PID: 7496)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7964)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 9080)
      • powershell.exe (PID: 2136)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 7948)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (75)
.exe | Win64 Executable (generic) (15.3)
.dll | Win32 Dynamic Link Library (generic) (3.6)
.exe | Win32 Executable (generic) (2.5)
.exe | Win16/32 Executable Delphi generic (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 10132992
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: WeMod Setup
CompanyName: WeMod LLC
FileDescription: WeMod Setup
FileVersion: 8.0.0.0
InternalName: WeMod-Setup.exe
LegalCopyright: Copyright © WeMod LLC 2022
LegalTrademarks: -
OriginalFileName: WeMod-Setup.exe
ProductName: WeMod
ProductVersion: 8.0.0.0
AssemblyVersion: 8.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
108
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start wemod-setup.exe vegastealer_v1.exe sppextcomobj.exe no specs wemod_setup.exe slui.exe no specs #BLANKGRABBER vegastealer_v1.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs svchost.exe reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs tasklist.exe no specs powershell.exe no specs wmic.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs tree.com no specs conhost.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs systeminfo.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cvtres.exe no specs mpcmdrun.exe no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wemod-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
616REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
632wmic os get CaptionC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
780C:\WINDOWS\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1056powershell Get-ClipboardC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1388C:\WINDOWS\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1764C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profile"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2136powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
54 182
Read events
54 162
Write events
20
Delete events
0

Modification events

(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7728) VegaStealer_v1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7536) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
61
Suspicious files
41
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_bz2.pydexecutable
MD5:C7CE973F261F698E3DB148CCAD057C96
SHA256:02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_decimal.pydexecutable
MD5:21C73E7E0D7DAD7A1FE728E3B80CE073
SHA256:A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_lzma.pydexecutable
MD5:4E2239ECE266230ECB231B306ADDE070
SHA256:34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_ctypes.pydexecutable
MD5:10FDCF63D1C3C3B7E5861FBB04D64557
SHA256:BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3
7440WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\VegaStealer_v1.exeexecutable
MD5:243DCA248CABCEFAC70874F55AB362C6
SHA256:2C67E60F81A501036DE89E28887A9103598B69B3EF57BBFE4FE3C4CC418482D5
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_hashlib.pydexecutable
MD5:F495D1897A1B52A2B15C20DCECB84B47
SHA256:E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_queue.pydexecutable
MD5:6E00E0821BB519333CCFD4E61A83CB38
SHA256:2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:A00EBD3CF88D668BE6D62A25FA4FB525
SHA256:B44646453584305D4EDF8AB5F5D1ADEA6B9650BD2B75F8486FC275BE52B86433
7496VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI74962\_socket.pydexecutable
MD5:899380B2D48DF53414B974E11BB711E3
SHA256:B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
29
DNS requests
19
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
9020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7728
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
9020
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
104.78.173.167:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7536
WeMod_Setup.exe
GET
200
142.250.203.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7536
WeMod_Setup.exe
GET
200
142.250.203.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7728
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7536
WeMod_Setup.exe
104.22.43.75:443
api.wemod.com
CLOUDFLARENET
whitelisted
7536
WeMod_Setup.exe
142.250.203.99:80
c.pki.goog
GOOGLE
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7728
VegaStealer_v1.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7728
VegaStealer_v1.exe
142.250.203.99:443
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 184.25.50.10
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.203.110
whitelisted
api.wemod.com
  • 104.22.43.75
whitelisted
c.pki.goog
  • 142.250.203.99
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
vega-d7pjt.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.203.99
whitelisted

Threats

PID
Process
Class
Message
7728
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7728
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7728
VegaStealer_v1.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7728
VegaStealer_v1.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeMod-Setup.exe