Malware analysis pccheck.exe Malicious activity | ANY.RUN

Add for printing

File name:	pccheck.exe
Full analysis:	https://app.any.run/tasks/8c20b751-e2e2-4d0f-881c-6e3a0f75137a
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 18:10:57
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion stealer blankgrabber uac screenshot python
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	88549B37C08878A000725FF5570FC42A
SHA1:	1BDEC0348F2CD8B65D502E952D8115DE28F8FF26
SHA256:	24C87721421F2DBE29535B41BBB5529D4B7EA961A21F3B80832B98CA75BCB1B1
SSDEEP:	98304:tJ3EOOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGi5TMSN3PSPQvJVfPVNbequa7:eZpp8Ygtjf45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6276)
- BlankGrabber has been detected
  - pccheck.exe (PID: 3796)
- Bypass User Account Control (Modify registry)
  - reg.exe (PID: 6540)
- Create files in the Startup directory
  - pccheck.exe (PID: 6320)
- Actions looks like stealing of personal data
  - pccheck.exe (PID: 6320)
- Adds path to the Windows Defender exclusion list
  - pccheck.exe (PID: 6320)
- BLANKGRABBER has been detected (SURICATA)
  - pccheck.exe (PID: 6320)
SUSPICIOUS
- Process drops legitimate windows executable
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6320)
- Starts a Microsoft application from unusual location
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6276)
- Executable content was dropped or overwritten
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6320)
- The process drops C-runtime libraries
  - pccheck.exe (PID: 3796)
- Process drops python dynamic module
  - pccheck.exe (PID: 3796)
- Application launched itself
  - pccheck.exe (PID: 3796)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6380)
  - cmd.exe (PID: 6476)
- Loads Python modules
  - pccheck.exe (PID: 6276)
- Starts CMD.EXE for commands execution
  - pccheck.exe (PID: 6276)
  - pccheck.exe (PID: 6320)
- Changes default file association
  - reg.exe (PID: 6540)
- Found strings related to reading or modifying Windows Defender settings
  - pccheck.exe (PID: 6320)
  - pccheck.exe (PID: 6276)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 6572)
- Get information on the list of running processes
  - pccheck.exe (PID: 6320)
- Checks for external IP
  - pccheck.exe (PID: 6320)
  - svchost.exe (PID: 2192)
INFO
- The sample compiled with english language support
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6320)
- Checks supported languages
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6276)
- Reads the computer name
  - pccheck.exe (PID: 3796)
- Create files in a temporary directory
  - pccheck.exe (PID: 3796)
  - pccheck.exe (PID: 6276)
  - pccheck.exe (PID: 6320)
- Creates files in the program directory
  - pccheck.exe (PID: 6320)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:12:26 22:36:46+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.4355
ProductVersionNumber:	10.0.19041.4355
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Tool for managing the Kerberos ticket cache
FileVersion:	10.0.19041.4355 (WinBuild.160101.0800)
InternalName:	klist.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	klist.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.4355

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

248

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3796

"C:\Users\admin\AppData\Local\Temp\pccheck.exe"

C:\Users\admin\AppData\Local\Temp\pccheck.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Tool for managing the Kerberos ticket cache

Version:

10.0.19041.4355 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\pccheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

6276

"C:\Users\admin\AppData\Local\Temp\pccheck.exe"

C:\Users\admin\AppData\Local\Temp\pccheck.exe

—

pccheck.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Tool for managing the Kerberos ticket cache

Version:

10.0.19041.4355 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\pccheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

6320

"C:\Users\admin\AppData\Local\Temp\pccheck.exe"

C:\Users\admin\AppData\Local\Temp\pccheck.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Tool for managing the Kerberos ticket cache

Version:

10.0.19041.4355 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sspicli.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\winmmbase.dll
c:\windows\system32\mmdevapi.dll

6380

C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\pccheck.exe" /f"

C:\Windows\System32\cmd.exe

—

pccheck.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

6396

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6444

reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\pccheck.exe" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6476

C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"

C:\Windows\System32\cmd.exe

—

pccheck.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

6492

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6540

reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

13 485

Read events

13 481

Write events

Delete events

Modification events


(PID) Process:	(6540) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6320) pccheck.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(8096) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31154077
(PID) Process:	(8096) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value: 908189740

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\_bz2.pyd		executable
		MD5:0C13627F114F346604B0E8CBC03BAF29	SHA256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\_queue.pyd		executable
		MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E	SHA256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\_ssl.pyd		executable
		MD5:156B1FA2F11C73ED25F63EE20E6E4B26	SHA256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\libffi-8.dll		executable
		MD5:90A6B0264A81BB8436419517C9C232FA	SHA256:5C4A0D4910987A38A3CD31EAE5F1C909029F7762D1A5FAF4A2E2A7E9B1ABAB79
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\base_library.zip		compressed
		MD5:2A138E2EE499D3BA2FC4AFAEF93B7CAA	SHA256:130E506EAD01B91B60D6D56072C468AEB5457DD0F2ECD6CE17DFCBB7D51A1F8C
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\python311.dll		executable
		MD5:BB46B85029B543B70276AD8E4C238799	SHA256:72C24E1DB1BA4DF791720A93CA9502D77C3738EEBF8B9092A5D82AA8D80121D0
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\libssl-1_1.dll		executable
		MD5:EAC369B3FDE5C6E8955BD0B8E31D0830	SHA256:60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\libcrypto-1_1.dll		executable
		MD5:DAA2EED9DCEAFAEF826557FF8A754204	SHA256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
3796	pccheck.exe	C:\Users\admin\AppData\Local\Temp\_MEI37962\rar.exe		executable
		MD5:9C223575AE5B9544BC3D69AC6364F75E	SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6320	pccheck.exe	GET	—	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	shared
6320	pccheck.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3220	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	104.126.37.170:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1176	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
crl.microsoft.com	23.48.23.194 23.48.23.137 23.48.23.176 23.48.23.191 23.48.23.180 23.48.23.177 23.48.23.147 23.48.23.181 23.48.23.139	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.181.238	whitelisted
www.bing.com	104.126.37.170 104.126.37.128 104.126.37.162 104.126.37.185 104.126.37.131 104.126.37.129 104.126.37.130 104.126.37.171 104.126.37.178	whitelisted
login.live.com	40.126.32.68 20.190.160.22 20.190.160.17 40.126.32.140 20.190.160.20 40.126.32.133 40.126.32.136 40.126.32.72	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
blank-usok7.in	—	unknown
ip-api.com	208.95.112.1	shared

Threats

PID	Process	Class	Message
6320	pccheck.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6320	pccheck.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6320	pccheck.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6320	pccheck.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

Add for printing

No debug info

General Info

pccheck.exe

88549B37C08878A000725FF5570FC42A

1BDEC0348F2CD8B65D502E952D8115DE28F8FF26

24C87721421F2DBE29535B41BBB5529D4B7EA961A21F3B80832B98CA75BCB1B1

98304:tJ3EOOzhJ8QKCt7bm6GpJ0SDao1uKSolBpmNcCpGi5TMSN3PSPQvJVfPVNbequa7:eZpp8Ygtjf45

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Bypass User Account Control (Modify registry)

Create files in the Startup directory

Actions looks like stealing of personal data

Adds path to the Windows Defender exclusion list

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Loads Python modules

Starts CMD.EXE for commands execution

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Get information on the list of running processes

Checks for external IP

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings