Malware analysis RC7-Reimagined.zip Malicious activity

Add for printing

File name:	RC7-Reimagined.zip
Full analysis:	https://app.any.run/tasks/89fce533-34b8-463c-8f9b-caf340125aba
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 05, 2025, 00:04:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac blankgrabber stealer arch-exec discord evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	8C33FF7DCAC36E4AA6AD9EA2B2CA7702
SHA1:	EEED186ECC4730A1AC22DD9B4DD9C577D8752891
SHA256:	1F8A1675C871E91F6E11C7354ED2757D69C0CA18A8D536BFA65799700E2971CC
SSDEEP:	98304:CA2rEyA6ris6xErjEunvpLgCvcBzC7y2I+1kOc5vBPzUtLM1+StJWH+O5dh7T8tk:6UMA7JfO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass User Account Control (Modify registry)
  - reg.exe (PID: 2108)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 6656)
- BlankGrabber has been detected
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4380)
- Create files in the Startup directory
  - RC7-2025.exe (PID: 4188)
- Adds path to the Windows Defender exclusion list
  - RC7-2025.exe (PID: 4188)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 6248)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 2984)
- Changes Windows Defender settings
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 6248)
- Changes Controlled Folder Access settings
  - powershell.exe (PID: 4300)
- Changes settings for protection against network attacks (IPS)
  - powershell.exe (PID: 4300)
- Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
  - powershell.exe (PID: 4300)
- Changes settings for reporting to Microsoft Active Protection Service (MAPS)
  - powershell.exe (PID: 4300)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 4300)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 4300)
- Changes settings for real-time protection
  - powershell.exe (PID: 4300)
- Steals credentials from Web Browsers
  - RC7-2025.exe (PID: 4188)
- Actions looks like stealing of personal data
  - RC7-2025.exe (PID: 4188)
- Resets Windows Defender malware definitions to the base version
  - MpCmdRun.exe (PID: 7888)
- Stealers network behavior
  - RC7-2025.exe (PID: 4188)
- BLANKGRABBER has been detected (SURICATA)
  - RC7-2025.exe (PID: 4188)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 5956)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - RC7-2025.exe (PID: 4380)
- Application launched itself
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5956)
- The process drops C-runtime libraries
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Starts a Microsoft application from unusual location
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - RC7-2025.exe (PID: 4380)
- Changes default file association
  - reg.exe (PID: 2108)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6184)
  - cmd.exe (PID: 1056)
  - cmd.exe (PID: 1056)
- Found strings related to reading or modifying Windows Defender settings
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 4108)
  - cmd.exe (PID: 1812)
- Executable content was dropped or overwritten
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - RC7-2025.exe (PID: 4380)
- Starts CMD.EXE for commands execution
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
- Process drops python dynamic module
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4380)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 5512)
  - cmd.exe (PID: 1116)
  - cmd.exe (PID: 1660)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 2984)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 6248)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 2984)
- Get information on the list of running processes
  - cmd.exe (PID: 6392)
  - RC7-2025.exe (PID: 4188)
  - cmd.exe (PID: 6184)
  - cmd.exe (PID: 1180)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 3884)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 4488)
- Starts application with an unusual extension
  - cmd.exe (PID: 7608)
  - cmd.exe (PID: 7688)
  - cmd.exe (PID: 7776)
  - cmd.exe (PID: 7824)
  - cmd.exe (PID: 7880)
  - cmd.exe (PID: 856)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 7548)
- The executable file from the user directory is run by the CMD process
  - rar.exe (PID: 7312)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 4380)
- Accesses operating system name via WMI (SCRIPT)
  - WMIC.exe (PID: 7400)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 4488)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 4736)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 7212)
  - cmd.exe (PID: 1188)
- Checks for external IP
  - svchost.exe (PID: 2196)
  - RC7-2025.exe (PID: 4188)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 6264)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 7692)
INFO
- The sample compiled with english language support
  - WinRAR.exe (PID: 5956)
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
- Create files in a temporary directory
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - rar.exe (PID: 7312)
  - MpCmdRun.exe (PID: 7888)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5956)
- Checks supported languages
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - tree.com (PID: 7448)
  - tree.com (PID: 7636)
  - tree.com (PID: 7708)
  - tree.com (PID: 7800)
  - tree.com (PID: 7852)
  - tree.com (PID: 7904)
  - rar.exe (PID: 7312)
  - MpCmdRun.exe (PID: 7888)
- Reads the machine GUID from the registry
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
  - rar.exe (PID: 7312)
- Reads security settings of Internet Explorer
  - ComputerDefaults.exe (PID: 6656)
  - WMIC.exe (PID: 7548)
  - Taskmgr.exe (PID: 8148)
  - WMIC.exe (PID: 7400)
  - WMIC.exe (PID: 4736)
  - WMIC.exe (PID: 7844)
  - WMIC.exe (PID: 7692)
- Reads the computer name
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - RC7-2025.exe (PID: 4380)
  - MpCmdRun.exe (PID: 7888)
- Creates files in the program directory
  - RC7-2025.exe (PID: 4188)
- The Powershell gets current clipboard
  - powershell.exe (PID: 7356)
- Checks the directory tree
  - tree.com (PID: 7448)
  - tree.com (PID: 7636)
  - tree.com (PID: 7708)
  - tree.com (PID: 7800)
  - tree.com (PID: 7852)
  - tree.com (PID: 7904)
- Manual execution by a user
  - Taskmgr.exe (PID: 8148)
  - Taskmgr.exe (PID: 8096)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5504)
  - powershell.exe (PID: 4300)
  - powershell.exe (PID: 1764)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 4300)
  - powershell.exe (PID: 5504)
  - powershell.exe (PID: 1764)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 7380)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0008
ZipCompression:	Deflated
ZipModifyDate:	2025:04:04 18:59:28
ZipCRC:	0x5d125307
ZipCompressedSize:	6859081
ZipUncompressedSize:	16777216
ZipFileName:	RC7-2025.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

211

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

reg delete hkcu\Software\Classes\ms-settings /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

616

reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

728

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

856

C:\WINDOWS\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1056

C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe" /f"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1056

C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1116

C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1128

"C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe

ComputerDefaults.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

AppID Certificate Store Verification Task

Exit code:

Version:

10.0.22621.4830 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa5956.31511\rc7-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1180

C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1188

C:\WINDOWS\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

48 781

Read events

48 759

Write events

Delete events

Modification events


(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\RC7-Reimagined.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2108) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6656) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

118

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_decimal.pyd		executable
		MD5:EED5E0ABDD4EF0E278B6031962611C62	SHA256:C647AD464CA1657E9263DC85BF1F814AC441E47555E9A7E080FE5E8AAF7F9CE3
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_socket.pyd		executable
		MD5:E1ED9834A361090F081982A46848335D	SHA256:6EA35EC2CC5F3E4D31AEB254A4C9EDCB837F01E95FBED8ECA3A1AEDAF73CDAA7
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_ctypes.pyd		executable
		MD5:BB763DFB8A25E3C0E469DEC3925F556D	SHA256:0365A408E68C8743C9E7DEC218DC2935C46921EEF1938DAEB3EFCCE8F882ECD2
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_hashlib.pyd		executable
		MD5:FEE18B1C90FD7DAC801A556B06C45BED	SHA256:624AD5F808C1F73F4C7935E4CD127F12E119EF1E6FF941147ABC9C9F98B4A45F
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\VCRUNTIME140.dll		executable
		MD5:A87575E7CF8967E481241F13940EE4F7	SHA256:DED5ADAA94341E6C62AEA03845762591666381DCA30EB7C17261DD154121B83E
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_lzma.pyd		executable
		MD5:C49EA6C93334203353B030CDD1E15159	SHA256:9D2D9284EA894E2ED6658B6199C37565AEC0DAC3E05976139253B531E981C4CB
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_bz2.pyd		executable
		MD5:0AC171ABA6E08DC61B4C2D69169D9D87	SHA256:7997BF38C683B1443B785A0916C434FE70EA09DD137138C16F846AA279641D9B
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-file-l1-1-0.dll		executable
		MD5:68A9E2900942D86001E56FC7FF0BE7E1	SHA256:2FF6914E5887B3FA53CB418B5602C84B79F189E441E1E66BF42C759688D8C885
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:9F8E3E48E50CC817581FCF8C4412FD16	SHA256:4E8C54B23D5C0D5B388D7C0182DA2E3AFC9819073640E83B753F517D5CF77AEB
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:9A1E39A255C0A22E49906DA7DDC69274	SHA256:A742B375FC6CB32E17C66F7E677CEF59399216AC21C1384DE6EC892C2B099A4D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7424	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7424	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4188	RC7-2025.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	20.197.71.89:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
6544	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4188	RC7-2025.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
7424	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9	whitelisted
google.com	142.250.185.206	whitelisted
client.wns.windows.com	20.197.71.89	whitelisted
login.live.com	20.190.160.2 20.190.160.132 20.190.160.67 20.190.160.131 20.190.160.3 20.190.160.14 40.126.32.140 40.126.32.74	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
gstatic.com	172.217.16.195	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4188	RC7-2025.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
4188	RC7-2025.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
4188	RC7-2025.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
4188	RC7-2025.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

No debug info

General Info

RC7-Reimagined.zip

8C33FF7DCAC36E4AA6AD9EA2B2CA7702

EEED186ECC4730A1AC22DD9B4DD9C577D8752891

1F8A1675C871E91F6E11C7354ED2757D69C0CA18A8D536BFA65799700E2971CC

98304:CA2rEyA6ris6xErjEunvpLgCvcBzC7y2I+1kOc5vBPzUtLM1+StJWH+O5dh7T8tk:6UMA7JfO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

BlankGrabber has been detected

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes Windows Defender settings

Changes Controlled Folder Access settings

Changes settings for protection against network attacks (IPS)

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for checking scripts for malicious actions

Changes settings for real-time protection

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Resets Windows Defender malware definitions to the base version

Stealers network behavior

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Application launched itself

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Starts a Microsoft application from unusual location

Changes default file association

Uses REG/REGEDIT.EXE to modify registry

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Process drops python dynamic module

Starts POWERSHELL.EXE for commands execution

Script disables Windows Defender's IPS

Script adds exclusion path to Windows Defender

Script disables Windows Defender's real-time protection

Get information on the list of running processes

Uses SYSTEMINFO.EXE to read the environment

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

The executable file from the user directory is run by the CMD process

Uses WMIC.EXE to obtain operating system information

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain computer system information

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain Windows Installer data

Checks for external IP

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

INFO

The sample compiled with english language support

Create files in a temporary directory

Executable content was dropped or overwritten

Checks supported languages

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads the computer name

Creates files in the program directory

The Powershell gets current clipboard

Checks the directory tree

Manual execution by a user

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Displays MAC addresses of computer network adapters

Malware configuration

Static information

TRiD