Malware analysis RC7-Reimagined.zip Malicious activity

Add for printing

File name:	RC7-Reimagined.zip
Full analysis:	https://app.any.run/tasks/89fce533-34b8-463c-8f9b-caf340125aba
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 05, 2025, 00:04:49
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac blankgrabber stealer arch-exec discord evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	8C33FF7DCAC36E4AA6AD9EA2B2CA7702
SHA1:	EEED186ECC4730A1AC22DD9B4DD9C577D8752891
SHA256:	1F8A1675C871E91F6E11C7354ED2757D69C0CA18A8D536BFA65799700E2971CC
SSDEEP:	98304:CA2rEyA6ris6xErjEunvpLgCvcBzC7y2I+1kOc5vBPzUtLM1+StJWH+O5dh7T8tk:6UMA7JfO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- BlankGrabber has been detected
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Bypass User Account Control (Modify registry)
  - reg.exe (PID: 2108)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 6656)
- Create files in the Startup directory
  - RC7-2025.exe (PID: 4188)
- Adds path to the Windows Defender exclusion list
  - RC7-2025.exe (PID: 4188)
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 6248)
- Changes Windows Defender settings
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 6248)
- Changes Controlled Folder Access settings
  - powershell.exe (PID: 4300)
- Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
  - powershell.exe (PID: 4300)
- Changes settings for protection against network attacks (IPS)
  - powershell.exe (PID: 4300)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 2984)
- Changes settings for real-time protection
  - powershell.exe (PID: 4300)
- Changes settings for reporting to Microsoft Active Protection Service (MAPS)
  - powershell.exe (PID: 4300)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 4300)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 4300)
- Steals credentials from Web Browsers
  - RC7-2025.exe (PID: 4188)
- Actions looks like stealing of personal data
  - RC7-2025.exe (PID: 4188)
- Resets Windows Defender malware definitions to the base version
  - MpCmdRun.exe (PID: 7888)
- Stealers network behavior
  - RC7-2025.exe (PID: 4188)
- BLANKGRABBER has been detected (SURICATA)
  - RC7-2025.exe (PID: 4188)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5956)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 5956)
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
- Starts a Microsoft application from unusual location
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
- Application launched itself
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1056)
  - cmd.exe (PID: 6184)
  - cmd.exe (PID: 1056)
- Process drops python dynamic module
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Executable content was dropped or overwritten
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
- The process drops C-runtime libraries
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
- Changes default file association
  - reg.exe (PID: 2108)
- Found strings related to reading or modifying Windows Defender settings
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 4108)
  - cmd.exe (PID: 1812)
- Starts CMD.EXE for commands execution
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 2984)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 5512)
  - cmd.exe (PID: 1116)
  - cmd.exe (PID: 1660)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 2984)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 2552)
  - cmd.exe (PID: 6248)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 2984)
- Get information on the list of running processes
  - RC7-2025.exe (PID: 4188)
  - cmd.exe (PID: 6184)
  - cmd.exe (PID: 6392)
  - cmd.exe (PID: 1180)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 4488)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 3884)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 1188)
  - cmd.exe (PID: 7212)
- Starts application with an unusual extension
  - cmd.exe (PID: 856)
  - cmd.exe (PID: 7608)
  - cmd.exe (PID: 7688)
  - cmd.exe (PID: 7776)
  - cmd.exe (PID: 7824)
  - cmd.exe (PID: 7880)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 7548)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 4380)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 4488)
- Accesses operating system name via WMI (SCRIPT)
  - WMIC.exe (PID: 7400)
- The executable file from the user directory is run by the CMD process
  - rar.exe (PID: 7312)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 4736)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 6264)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 7692)
- Checks for external IP
  - RC7-2025.exe (PID: 4188)
  - svchost.exe (PID: 2196)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5956)
- The sample compiled with english language support
  - RC7-2025.exe (PID: 4380)
  - WinRAR.exe (PID: 5956)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
- Checks supported languages
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - tree.com (PID: 7448)
  - tree.com (PID: 7708)
  - tree.com (PID: 7636)
  - tree.com (PID: 7852)
  - tree.com (PID: 7800)
  - tree.com (PID: 7904)
  - MpCmdRun.exe (PID: 7888)
  - rar.exe (PID: 7312)
- Create files in a temporary directory
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - rar.exe (PID: 7312)
  - MpCmdRun.exe (PID: 7888)
- Reads the machine GUID from the registry
  - RC7-2025.exe (PID: 3100)
  - RC7-2025.exe (PID: 4188)
  - rar.exe (PID: 7312)
- Reads the computer name
  - RC7-2025.exe (PID: 4380)
  - RC7-2025.exe (PID: 1128)
  - RC7-2025.exe (PID: 4188)
  - MpCmdRun.exe (PID: 7888)
- Reads security settings of Internet Explorer
  - ComputerDefaults.exe (PID: 6656)
  - WMIC.exe (PID: 7548)
  - Taskmgr.exe (PID: 8148)
  - WMIC.exe (PID: 7400)
  - WMIC.exe (PID: 7844)
  - WMIC.exe (PID: 7692)
  - WMIC.exe (PID: 4736)
- Creates files in the program directory
  - RC7-2025.exe (PID: 4188)
- Checks the directory tree
  - tree.com (PID: 7448)
  - tree.com (PID: 7708)
  - tree.com (PID: 7636)
  - tree.com (PID: 7800)
  - tree.com (PID: 7852)
  - tree.com (PID: 7904)
- The Powershell gets current clipboard
  - powershell.exe (PID: 7356)
- Manual execution by a user
  - Taskmgr.exe (PID: 8148)
  - Taskmgr.exe (PID: 8096)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5504)
  - powershell.exe (PID: 4300)
  - powershell.exe (PID: 1764)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 4300)
  - powershell.exe (PID: 5504)
  - powershell.exe (PID: 1764)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 7380)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0008
ZipCompression:	Deflated
ZipModifyDate:	2025:04:04 18:59:28
ZipCRC:	0x5d125307
ZipCompressedSize:	6859081
ZipUncompressedSize:	16777216
ZipFileName:	RC7-2025.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

211

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

reg delete hkcu\Software\Classes\ms-settings /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

616

reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll

728

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

856

C:\WINDOWS\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1056

C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe" /f"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1056

C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1116

C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1128

"C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe

ComputerDefaults.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

AppID Certificate Store Verification Task

Exit code:

Version:

10.0.22621.4830 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa5956.31511\rc7-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1180

C:\WINDOWS\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1188

C:\WINDOWS\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\cmd.exe

—

RC7-2025.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

48 781

Read events

48 759

Write events

Delete events

Modification events


(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\RC7-Reimagined.zip
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5956) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2108) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6656) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

118

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5956.31511\RC7-2025.exe		executable
		MD5:5D9A3B6CAC6004255DB14B943C4BA748	SHA256:1858509F47AED77652012770B7C9B505FD99BCF9AF84E8DC7F617E4949F71ADF
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_socket.pyd		executable
		MD5:E1ED9834A361090F081982A46848335D	SHA256:6EA35EC2CC5F3E4D31AEB254A4C9EDCB837F01E95FBED8ECA3A1AEDAF73CDAA7
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_bz2.pyd		executable
		MD5:0AC171ABA6E08DC61B4C2D69169D9D87	SHA256:7997BF38C683B1443B785A0916C434FE70EA09DD137138C16F846AA279641D9B
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_decimal.pyd		executable
		MD5:EED5E0ABDD4EF0E278B6031962611C62	SHA256:C647AD464CA1657E9263DC85BF1F814AC441E47555E9A7E080FE5E8AAF7F9CE3
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_queue.pyd		executable
		MD5:12B7D70195BD2D3BBAFB09DF34CBAB2C	SHA256:332BBFC7B9BDB3EB0231DC0BBAE591E7643FE52B01BCAF0E70A443D969D572E2
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:9F8E3E48E50CC817581FCF8C4412FD16	SHA256:4E8C54B23D5C0D5B388D7C0182DA2E3AFC9819073640E83B753F517D5CF77AEB
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:18A078BF6941F50FC3158B749441B9CE	SHA256:637E9A34044C366B9B004E62EE15AA4875E344A5A6B7634C803A40D95883D7CC
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:6DF69A0BEE972D981517A031759AB800	SHA256:29354CBE6E808AE1B1C187AAFE5F2A66D8CB5B4ED7EF3F830884C7C02171305F
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\_ctypes.pyd		executable
		MD5:BB763DFB8A25E3C0E469DEC3925F556D	SHA256:0365A408E68C8743C9E7DEC218DC2935C46921EEF1938DAEB3EFCCE8F882ECD2
4380	RC7-2025.exe	C:\Users\admin\AppData\Local\Temp\_MEI43802\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:E783C4599529D988E6DD51F602A3852E	SHA256:CFCE9BFBE11B534E1FC28D59EFED233B7490F081380A016B45B2357B4BE1F173

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7424	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7424	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4188	RC7-2025.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	20.197.71.89:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
6544	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4188	RC7-2025.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
7424	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9	whitelisted
google.com	142.250.185.206	whitelisted
client.wns.windows.com	20.197.71.89	whitelisted
login.live.com	20.190.160.2 20.190.160.132 20.190.160.67 20.190.160.131 20.190.160.3 20.190.160.14 40.126.32.140 40.126.32.74	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
gstatic.com	172.217.16.195	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
4188	RC7-2025.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
4188	RC7-2025.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
4188	RC7-2025.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
4188	RC7-2025.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)

Add for printing

No debug info

General Info

RC7-Reimagined.zip

8C33FF7DCAC36E4AA6AD9EA2B2CA7702

EEED186ECC4730A1AC22DD9B4DD9C577D8752891

1F8A1675C871E91F6E11C7354ED2757D69C0CA18A8D536BFA65799700E2971CC

98304:CA2rEyA6ris6xErjEunvpLgCvcBzC7y2I+1kOc5vBPzUtLM1+StJWH+O5dh7T8tk:6UMA7JfO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

Changes Controlled Folder Access settings

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for protection against network attacks (IPS)

Antivirus name has been found in the command line (generic signature)

Changes settings for real-time protection

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for checking scripts for malicious actions

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Resets Windows Defender malware definitions to the base version

Stealers network behavior

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Process drops python dynamic module

Executable content was dropped or overwritten

The process drops C-runtime libraries

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Script disables Windows Defender's IPS

Script adds exclusion path to Windows Defender

Script disables Windows Defender's real-time protection

Get information on the list of running processes

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

Uses WMIC.EXE to obtain Windows Installer data

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Accesses operating system name via WMI (SCRIPT)

The executable file from the user directory is run by the CMD process

Accesses product unique identifier via WMI (SCRIPT)

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

Checks for external IP

INFO

Executable content was dropped or overwritten

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Reads security settings of Internet Explorer

Creates files in the program directory

Checks the directory tree

The Powershell gets current clipboard

Manual execution by a user

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Displays MAC addresses of computer network adapters

Malware configuration

Static information

TRiD