File name:

WeMod-Setup.exe

Full analysis: https://app.any.run/tasks/dadb11ca-3b85-4ebd-bd6c-a37b1a9a8ab8
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 15:17:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
python
screenshot
telegram
blankgrabber
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B5D9EC4463780FE7FF0CAD5B7E794EC2

SHA1:

69AB8569815E707ACC253A3B1FD98F2559A2C7C0

SHA256:

106E7414F8277F8DC4B666BC1AB54E97B0192E677F4823D3FDD265BF1366F870

SSDEEP:

98304:XwhWmAuO/7MKXKvgAbcuzB+cbdBKKho6yLUmIhmEsgNx/1hdExas3lAKWDgN/RgW:QthMXiz9papGsqjjan

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • VegaStealer_v1.exe (PID: 7152)
      • cmd.exe (PID: 6700)

    • Changes Windows Defender settings

      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 4688)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7288)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7288)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7288)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7288)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4688)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7288)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7288)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7288)

    • Actions looks like stealing of personal data

      • VegaStealer_v1.exe (PID: 7152)

    • Steals credentials from Web Browsers

      • VegaStealer_v1.exe (PID: 7152)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8236)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7604)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 8412)

    • BLANKGRABBER has been detected (SURICATA)

      • VegaStealer_v1.exe (PID: 7152)

    • Stealers network behavior

      • VegaStealer_v1.exe (PID: 7152)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WeMod-Setup.exe (PID: 6712)
      • WeMod_Setup.exe (PID: 4408)
      • Update.exe (PID: 7944)

    • Process drops python dynamic module

      • VegaStealer_v1.exe (PID: 6644)

    • Reads Microsoft Outlook installation path

      • WeMod_Setup.exe (PID: 4408)

    • Process drops legitimate windows executable

      • VegaStealer_v1.exe (PID: 6644)
      • Update.exe (PID: 7944)

    • The process drops C-runtime libraries

      • VegaStealer_v1.exe (PID: 6644)

    • Executable content was dropped or overwritten

      • WeMod-Setup.exe (PID: 6712)
      • VegaStealer_v1.exe (PID: 6644)
      • csc.exe (PID: 9084)
      • WeMod-Setup-638807590511329798.exe (PID: 7256)
      • Update.exe (PID: 7944)

    • Loads Python modules

      • VegaStealer_v1.exe (PID: 7152)

    • Reads Internet Explorer settings

      • WeMod_Setup.exe (PID: 4408)

    • Found strings related to reading or modifying Windows Defender settings

      • VegaStealer_v1.exe (PID: 7152)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6700)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 4688)
      • cmd.exe (PID: 7736)
      • cmd.exe (PID: 7604)
      • cmd.exe (PID: 9104)
      • cmd.exe (PID: 8380)
      • cmd.exe (PID: 7788)
      • cmd.exe (PID: 5228)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4688)

    • Application launched itself

      • VegaStealer_v1.exe (PID: 6644)

    • Get information on the list of running processes

      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 5008)
      • cmd.exe (PID: 7208)
      • cmd.exe (PID: 7668)
      • VegaStealer_v1.exe (PID: 7152)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 7384)
      • cmd.exe (PID: 7964)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 7828)
      • cmd.exe (PID: 7944)
      • cmd.exe (PID: 6512)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7340)
      • WMIC.exe (PID: 7316)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7896)
      • WMIC.exe (PID: 8008)
      • WMIC.exe (PID: 1040)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4688)

    • Starts CMD.EXE for commands execution

      • VegaStealer_v1.exe (PID: 7152)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 7824)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 7716)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5548)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7604)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7604)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7604)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8368)
      • cmd.exe (PID: 8488)
      • cmd.exe (PID: 8604)
      • cmd.exe (PID: 7820)
      • cmd.exe (PID: 8680)
      • cmd.exe (PID: 8764)

    • Checks for external IP

      • VegaStealer_v1.exe (PID: 7152)
      • svchost.exe (PID: 2196)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 9084)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 8236)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 8720)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 8808)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7816)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • VegaStealer_v1.exe (PID: 7152)

    • Searches for installed software

      • Update.exe (PID: 7944)

    • Creates a software uninstall entry

      • Update.exe (PID: 7944)

    • Reads the date of Windows installation

      • Update.exe (PID: 7944)

  • INFO

    • Create files in a temporary directory

      • WeMod-Setup.exe (PID: 6712)
      • VegaStealer_v1.exe (PID: 7152)
      • csc.exe (PID: 9084)
      • WeMod_Setup.exe (PID: 4408)
      • MpCmdRun.exe (PID: 8412)
      • VegaStealer_v1.exe (PID: 6644)
      • cvtres.exe (PID: 8000)
      • Update.exe (PID: 7944)

    • Reads the computer name

      • WeMod-Setup.exe (PID: 6712)
      • VegaStealer_v1.exe (PID: 6644)
      • WeMod_Setup.exe (PID: 4408)
      • VegaStealer_v1.exe (PID: 7152)
      • MpCmdRun.exe (PID: 8412)
      • WeMod-Setup-638807590511329798.exe (PID: 9076)
      • Update.exe (PID: 7944)
      • Update.exe (PID: 7732)
      • squirrel.exe (PID: 7372)

    • Reads the machine GUID from the registry

      • WeMod_Setup.exe (PID: 4408)
      • csc.exe (PID: 9084)
      • Update.exe (PID: 7944)
      • Update.exe (PID: 7732)
      • squirrel.exe (PID: 7372)

    • Reads the software policy settings

      • WeMod_Setup.exe (PID: 4408)
      • Update.exe (PID: 7944)

    • Checks supported languages

      • VegaStealer_v1.exe (PID: 6644)
      • WeMod-Setup.exe (PID: 6712)
      • WeMod_Setup.exe (PID: 4408)
      • VegaStealer_v1.exe (PID: 7152)
      • tree.com (PID: 8052)
      • tree.com (PID: 8564)
      • tree.com (PID: 8436)
      • tree.com (PID: 8820)
      • tree.com (PID: 8660)
      • tree.com (PID: 8740)
      • csc.exe (PID: 9084)
      • MpCmdRun.exe (PID: 8412)
      • cvtres.exe (PID: 8000)
      • WeMod-Setup-638807590511329798.exe (PID: 7256)
      • Update.exe (PID: 7944)
      • WeMod-Setup-638807590511329798.exe (PID: 9076)
      • squirrel.exe (PID: 7372)
      • WeMod.exe (PID: 8080)
      • Update.exe (PID: 7732)

    • Process checks computer location settings

      • WeMod-Setup.exe (PID: 6712)
      • Update.exe (PID: 7944)

    • Checks proxy server information

      • WeMod_Setup.exe (PID: 4408)
      • Update.exe (PID: 7944)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7340)
      • WMIC.exe (PID: 7896)
      • WMIC.exe (PID: 8008)
      • WMIC.exe (PID: 7716)
      • WMIC.exe (PID: 8808)
      • WMIC.exe (PID: 7792)
      • WMIC.exe (PID: 7316)
      • WMIC.exe (PID: 1040)
      • OpenWith.exe (PID: 8052)

    • Creates files or folders in the user directory

      • WeMod_Setup.exe (PID: 4408)
      • WeMod-Setup-638807590511329798.exe (PID: 7256)
      • Update.exe (PID: 7944)
      • squirrel.exe (PID: 7372)
      • Update.exe (PID: 7732)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 7524)

    • Checks the directory tree

      • tree.com (PID: 8436)
      • tree.com (PID: 8660)
      • tree.com (PID: 8564)
      • tree.com (PID: 8052)
      • tree.com (PID: 8740)
      • tree.com (PID: 8820)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 7288)

    • Disables trace logs

      • WeMod_Setup.exe (PID: 4408)
      • Update.exe (PID: 7944)

    • Reads Environment values

      • WeMod_Setup.exe (PID: 4408)
      • WeMod.exe (PID: 8080)
      • Update.exe (PID: 7944)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 9168)
      • powershell.exe (PID: 7288)
      • powershell.exe (PID: 8484)

    • The sample compiled with english language support

      • VegaStealer_v1.exe (PID: 6644)
      • Update.exe (PID: 7944)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 8748)

    • Manual execution by a user

      • WeMod-Setup-638807590511329798.exe (PID: 7256)

    • Reads product name

      • WeMod.exe (PID: 8080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (75)
.exe | Win64 Executable (generic) (15.3)
.dll | Win32 Dynamic Link Library (generic) (3.6)
.exe | Win32 Executable (generic) (2.5)
.exe | Win16/32 Executable Delphi generic (1.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:06:15 16:44:28+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5.12
CodeSize: 3584
InitializedDataSize: 10132992
UninitializedDataSize: -
EntryPoint: 0x1ae1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.0.0.0
ProductVersionNumber: 8.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: WeMod Setup
CompanyName: WeMod LLC
FileDescription: WeMod Setup
FileVersion: 8.0.0.0
InternalName: WeMod-Setup.exe
LegalCopyright: Copyright © WeMod LLC 2022
LegalTrademarks: -
OriginalFileName: WeMod-Setup.exe
ProductName: WeMod
ProductVersion: 8.0.0.0
AssemblyVersion: 8.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
113
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wemod-setup.exe vegastealer_v1.exe wemod_setup.exe #BLANKGRABBER vegastealer_v1.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs tasklist.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs conhost.exe no specs reg.exe no specs powershell.exe no specs netsh.exe no specs systeminfo.exe no specs tree.com no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs tiworker.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wemod-setup-638807590511329798.exe no specs wemod-setup-638807590511329798.exe openwith.exe no specs update.exe squirrel.exe no specs wemod.exe no specs update.exe no specs wemod-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1040wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4408"C:\Users\admin\AppData\Local\Temp\WeMod_Setup.exe" C:\Users\admin\AppData\Local\Temp\WeMod_Setup.exe
WeMod-Setup.exe
User:
admin
Company:
WeMod LLC
Integrity Level:
HIGH
Description:
WeMod Setup
Exit code:
0
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\wemod_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4688C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"C:\Windows\System32\cmd.exeVegaStealer_v1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
56 676
Read events
56 623
Write events
51
Delete events
2

Modification events

(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7152) VegaStealer_v1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4408) WeMod_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WeMod_Setup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
87
Suspicious files
105
Text files
54
Unknown types
3

Dropped files

PID
Process
Filename
Type
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_sqlite3.pydexecutable
MD5:CEE93C920951C1169B615CB6330CEDDA
SHA256:FF25BDBEEF34D2AA420A79D3666C2660E7E3E96259D1F450F1AF5268553380EC
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_queue.pydexecutable
MD5:6E00E0821BB519333CCFD4E61A83CB38
SHA256:2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_bz2.pydexecutable
MD5:C7CE973F261F698E3DB148CCAD057C96
SHA256:02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_decimal.pydexecutable
MD5:21C73E7E0D7DAD7A1FE728E3B80CE073
SHA256:A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_hashlib.pydexecutable
MD5:F495D1897A1B52A2B15C20DCECB84B47
SHA256:E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_lzma.pydexecutable
MD5:4E2239ECE266230ECB231B306ADDE070
SHA256:34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_socket.pydexecutable
MD5:899380B2D48DF53414B974E11BB711E3
SHA256:B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\_ssl.pydexecutable
MD5:9B4E74FD1DE0F8A197E4AA1E16749186
SHA256:A4CE52A9E0DADDBBE7A539D1A7EDA787494F2173DDCC92A3FAF43B7CF597452B
6712WeMod-Setup.exeC:\Users\admin\AppData\Local\Temp\VegaStealer_v1.exeexecutable
MD5:243DCA248CABCEFAC70874F55AB362C6
SHA256:2C67E60F81A501036DE89E28887A9103598B69B3EF57BBFE4FE3C4CC418482D5
6644VegaStealer_v1.exeC:\Users\admin\AppData\Local\Temp\_MEI66442\VCRUNTIME140.dllexecutable
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4408
WeMod_Setup.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7152
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
4408
WeMod_Setup.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7152
VegaStealer_v1.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8000
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4408
WeMod_Setup.exe
104.22.42.75:443
api.wemod.com
CLOUDFLARENET
whitelisted
4408
WeMod_Setup.exe
142.250.185.99:80
c.pki.goog
GOOGLE
US
whitelisted
7152
VegaStealer_v1.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7152
VegaStealer_v1.exe
142.250.186.35:443
gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
google.com
  • 142.250.185.78
whitelisted
api.wemod.com
  • 104.22.42.75
  • 104.22.43.75
  • 172.67.25.118
whitelisted
c.pki.goog
  • 142.250.185.99
whitelisted
vega-hs4da.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
gstatic.com
  • 142.250.186.35
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7152
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7152
VegaStealer_v1.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7152
VegaStealer_v1.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7152
VegaStealer_v1.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WeMod-Setup.exe