Malware analysis Update.exe Malicious activity | ANY.RUN

Add for printing

File name:	Update.exe
Full analysis:	https://app.any.run/tasks/0c9509f6-4598-4532-adee-62409a1159e1
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 22, 2024, 14:20:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller growtopia stealer discordgrabber generic susp-powershell ims-api upx evasion blankgrabber telegram opendir python loader uac crypto-regex miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	663678DC0BEF5DB3D7CD0C78AEEA7625
SHA1:	0E5652D0E200EC9CC1F58CBDB40690E6F98A08D3
SHA256:	46A4D503B31F1DC54B9BEDA9A12D91B382BF491E7B354FFA3DF174050B96D799
SSDEEP:	98304:R6CGu8MFZlu/gbH90KU+meINVq6rtto10wFsBojI9tXBnFeVjRP3H8YHx9IqVpFk:94f9dPiZg+jkAOggemz5o+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- BlankGrabber has been detected
  - Update.exe (PID: 6764)
  - Update.exe (PID: 5088)
  - bound.exe (PID: 6680)
- Adds path to the Windows Defender exclusion list
  - Update.exe (PID: 3880)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2508)
  - bound.exe (PID: 1116)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7492)
  - Update2.exe (PID: 8656)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 5984)
  - cmd.exe (PID: 7844)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - MpCmdRun.exe (PID: 8504)
  - MpCmdRun.exe (PID: 7956)
  - cmd.exe (PID: 7336)
  - MpCmdRun.exe (PID: 6676)
- Create files in the Startup directory
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Windows Defender preferences modified via 'Set-MpPreference'
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Actions looks like stealing of personal data
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7216)
  - powershell.exe (PID: 8356)
  - powershell.exe (PID: 7892)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- DISCORDGRABBER has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- GROWTOPIA has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Stealers network behavior
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- BLANKGRABBER has been detected (SURICATA)
  - bound.exe (PID: 1116)
  - Update.exe (PID: 3880)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 6788)
- Adds extension to the Windows Defender exclusion list
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
  - csc.exe (PID: 8944)
  - csc.exe (PID: 7688)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 8656)
  - bound.exe (PID: 4976)
  - csc.exe (PID: 7860)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Starts a Microsoft application from unusual location
  - Update.exe (PID: 6548)
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
- Reads security settings of Internet Explorer
  - Update.exe (PID: 6548)
- The process drops C-runtime libraries
  - Update.exe (PID: 5088)
  - bound.exe (PID: 6680)
  - Update.exe (PID: 6764)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 7660)
- Process drops python dynamic module
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
- Application launched itself
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
- Loads Python modules
  - Update.exe (PID: 6548)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Reads the date of Windows installation
  - Update.exe (PID: 6548)
- Process drops legitimate windows executable
  - Update.exe (PID: 6764)
  - Update.exe (PID: 5088)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
  - firefox.exe (PID: 3316)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 8656)
- Starts CMD.EXE for commands execution
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
  - Update2.exe (PID: 6404)
  - Update2.exe (PID: 8656)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- The executable file from the user directory is run by the CMD process
  - bound.exe (PID: 6680)
  - rar.exe (PID: 7828)
  - rar.exe (PID: 8528)
  - bound.exe (PID: 4976)
  - rar.exe (PID: 6828)
- Found strings related to reading or modifying Windows Defender settings
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
  - Update2.exe (PID: 6404)
  - Update2.exe (PID: 8656)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2508)
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 7492)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7944)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 7400)
  - cmd.exe (PID: 4688)
  - cmd.exe (PID: 5000)
  - cmd.exe (PID: 1244)
  - cmd.exe (PID: 5248)
  - cmd.exe (PID: 8656)
  - cmd.exe (PID: 8248)
  - cmd.exe (PID: 7336)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 7844)
  - cmd.exe (PID: 5984)
  - cmd.exe (PID: 8228)
  - cmd.exe (PID: 8380)
  - cmd.exe (PID: 8036)
  - cmd.exe (PID: 4756)
  - cmd.exe (PID: 8408)
  - cmd.exe (PID: 2964)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
  - cmd.exe (PID: 7864)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2508)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7492)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 7844)
  - cmd.exe (PID: 5984)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Get information on the list of running processes
  - Update.exe (PID: 3880)
  - cmd.exe (PID: 1448)
  - cmd.exe (PID: 6684)
  - cmd.exe (PID: 7764)
  - cmd.exe (PID: 7716)
  - bound.exe (PID: 1116)
  - cmd.exe (PID: 4680)
  - cmd.exe (PID: 8164)
  - Update2.exe (PID: 8656)
  - cmd.exe (PID: 6224)
  - cmd.exe (PID: 5092)
  - cmd.exe (PID: 3548)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 7924)
  - cmd.exe (PID: 5408)
  - cmd.exe (PID: 888)
  - cmd.exe (PID: 3696)
  - cmd.exe (PID: 9060)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 6768)
  - cmd.exe (PID: 7076)
  - cmd.exe (PID: 2040)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 6312)
  - cmd.exe (PID: 6320)
  - cmd.exe (PID: 5532)
- Starts application with an unusual extension
  - cmd.exe (PID: 6596)
  - cmd.exe (PID: 7460)
  - cmd.exe (PID: 8100)
  - cmd.exe (PID: 7324)
  - cmd.exe (PID: 8588)
  - cmd.exe (PID: 8560)
  - cmd.exe (PID: 9076)
  - cmd.exe (PID: 9028)
  - cmd.exe (PID: 9012)
  - cmd.exe (PID: 6592)
  - cmd.exe (PID: 8748)
  - cmd.exe (PID: 8276)
  - cmd.exe (PID: 3356)
  - cmd.exe (PID: 864)
  - cmd.exe (PID: 3924)
  - cmd.exe (PID: 7312)
  - cmd.exe (PID: 8408)
  - cmd.exe (PID: 2144)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 4780)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 7344)
  - cmd.exe (PID: 6728)
  - cmd.exe (PID: 3924)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 8336)
  - cmd.exe (PID: 5044)
  - cmd.exe (PID: 8736)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 368)
  - cmd.exe (PID: 9152)
  - cmd.exe (PID: 6956)
- Checks for external IP
  - svchost.exe (PID: 2256)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - bound.exe (PID: 1116)
  - Update.exe (PID: 3880)
- Potential Corporate Privacy Violation
  - firefox.exe (PID: 3316)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5000)
  - cmd.exe (PID: 7904)
  - cmd.exe (PID: 4748)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 7544)
  - cmd.exe (PID: 2944)
- Script adds exclusion extension to Windows Defender
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Starts SC.EXE for service management
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Process uninstalls Windows update
  - wusa.exe (PID: 6152)
  - wusa.exe (PID: 8320)
- Executes as Windows Service
  - nfblozsybbjy.exe (PID: 6684)
- Found regular expressions for crypto-addresses (YARA)
  - lf6o4T3T.exe (PID: 7524)
- Drops a system driver (possible attempt to evade defenses)
  - nfblozsybbjy.exe (PID: 6684)
INFO
- Checks supported languages
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update.exe (PID: 3880)
  - tree.com (PID: 7256)
  - tree.com (PID: 7856)
  - bound.exe (PID: 1116)
- Reads the computer name
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 5088)
  - bound.exe (PID: 6680)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Create files in a temporary directory
  - Update.exe (PID: 6548)
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
- Reads the machine GUID from the registry
  - Update.exe (PID: 6548)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- The process uses the downloaded file
  - Update.exe (PID: 6548)
- Process checks computer location settings
  - Update.exe (PID: 6548)
- Creates files in the program directory
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- The Powershell gets current clipboard
  - powershell.exe (PID: 6800)
  - powershell.exe (PID: 7476)
  - powershell.exe (PID: 5180)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 4780)
- PyInstaller has been detected (YARA)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 8656)
- Found Base64 encoded reflection usage via PowerShell (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Application launched itself
  - firefox.exe (PID: 6756)
  - firefox.exe (PID: 3316)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 5044)
  - getmac.exe (PID: 8640)
  - getmac.exe (PID: 8164)
- Manual execution by a user
  - firefox.exe (PID: 6756)
- UPX packer has been detected
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 3316)
- Attempting to use instant messaging service
  - svchost.exe (PID: 2256)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:09:18 17:35:55+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.14393.0
ProductVersionNumber:	10.0.14393.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft\fsavailux
FileVersion:	10.0.14393.0 (rs1_release.160715-1616)
InternalName:	fsavailux.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	fsavailux.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.14393.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

479

Monitored processes

350

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

360

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

368

C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\cmd.exe

—

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

644

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

864

C:\WINDOWS\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\cmd.exe

—

Update2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

888

C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\cmd.exe

—

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1116

bound.exe

C:\Users\admin\AppData\Local\Temp\bound.exe

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

DirectPlay Stub

Exit code:

Version:

10.0.14393.0 (rs1_release.160715-1616)

Modules

Images
c:\users\admin\appdata\local\temp\bound.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1124

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

1128

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

1148

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1244

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

140 473

Read events

140 457

Write events

Delete events

Modification events


(PID) Process:	(3880) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(8800) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31132922
(PID) Process:	(8800) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:
(PID) Process:	(3316) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(3316) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7548) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

107

Suspicious files

235

Text files

220

Unknown types

Dropped files

PID	Process	Filename		Type
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\bound.blank		—
		MD5:—	SHA256:—
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\libssl-1_1.dll		executable
		MD5:AD0A2B4286A43A0EF05F452667E656DB	SHA256:2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_ssl.pyd		executable
		MD5:9A7AB96204E505C760921B98E259A572	SHA256:CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_queue.pyd		executable
		MD5:BEBC7743E8AF7A812908FCB4CDD39168	SHA256:CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\libffi-7.dll		executable
		MD5:6F818913FAFE8E4DF7FEDC46131F201F	SHA256:3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\VCRUNTIME140.dll		executable
		MD5:F34EB034AA4A9735218686590CBA2E8B	SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_lzma.pyd		executable
		MD5:864B22495372FA4D8B18E1C535962AE2	SHA256:FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_bz2.pyd		executable
		MD5:FBA120A94A072459011133DA3A989DB2	SHA256:055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\base_library.zip		compressed
		MD5:C4989BCEB9E7E83078812C9532BAEEA7	SHA256:A0F5C7F0BAC1EA9DC86D60D20F903CC42CFF3F21737426D69D47909FC28B6DCD
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\sqlite3.dll		executable
		MD5:0C4996047B6EFDA770B03F8F231E39B8	SHA256:983F31BC687E0537D6028A9A65F4825CC560BBF3CB3EB0D3C0FCC2238219B5ED

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

102

DNS requests

123

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4168	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3316	firefox.exe	POST	200	23.53.40.122:80	http://r10.o.lencr.org/	unknown	—	—	unknown
7360	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3316	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
3316	firefox.exe	POST	200	23.53.40.123:80	http://r11.o.lencr.org/	unknown	—	—	unknown
7360	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3316	firefox.exe	POST	200	142.250.186.35:80	http://o.pki.goog/s/wr3/XjA	unknown	—	—	unknown
3316	firefox.exe	POST	200	142.250.186.35:80	http://o.pki.goog/wr2	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5212	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
3880	Update.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
1116	bound.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7360	SIHClient.exe	20.114.59.183:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
google.com	142.250.185.78	whitelisted
gstatic.com	172.217.16.195 142.250.186.35	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
login.live.com	40.126.32.68 20.190.160.14 20.190.160.20 40.126.32.76 40.126.32.136 40.126.32.138 40.126.32.133 40.126.32.140	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
3880	Update.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2256	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2256	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
3880	Update.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3880	Update.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1116	bound.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
1116	bound.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1116	bound.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Update.exe

663678DC0BEF5DB3D7CD0C78AEEA7625

0E5652D0E200EC9CC1F58CBDB40690E6F98A08D3

46A4D503B31F1DC54B9BEDA9A12D91B382BF491E7B354FFA3DF174050B96D799

98304:R6CGu8MFZlu/gbH90KU+meINVq6rtto10wFsBojI9tXBnFeVjRP3H8YHx9IqVpFk:94f9dPiZg+jkAOggemz5o+j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Create files in the Startup directory

Windows Defender preferences modified via 'Set-MpPreference'

Actions looks like stealing of personal data

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

Stealers network behavior

BLANKGRABBER has been detected (SURICATA)

Bypass User Account Control (ComputerDefaults)

Adds extension to the Windows Defender exclusion list

SUSPICIOUS

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Loads Python modules

Reads the date of Windows installation

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Found strings related to reading or modifying Windows Defender settings

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Script disables Windows Defender's IPS

Script disables Windows Defender's real-time protection

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

Uses SYSTEMINFO.EXE to read the environment

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

The process bypasses the loading of PowerShell profile settings

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain a list of video controllers

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Potential Corporate Privacy Violation

Uses REG/REGEDIT.EXE to modify registry

Uses WEVTUTIL.EXE to query events from a log or log file

Script adds exclusion extension to Windows Defender

Starts SC.EXE for service management

Process uninstalls Windows update

Executes as Windows Service

Found regular expressions for crypto-addresses (YARA)

Drops a system driver (possible attempt to evade defenses)

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

The process uses the downloaded file

Process checks computer location settings

Creates files in the program directory

The Powershell gets current clipboard

Reads security settings of Internet Explorer

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Application launched itself