Malware analysis Update.exe Malicious activity | ANY.RUN

Add for printing

File name:	Update.exe
Full analysis:	https://app.any.run/tasks/0c9509f6-4598-4532-adee-62409a1159e1
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 22, 2024, 14:20:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller growtopia stealer discordgrabber generic susp-powershell ims-api upx evasion blankgrabber telegram opendir python loader uac crypto-regex miner
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	663678DC0BEF5DB3D7CD0C78AEEA7625
SHA1:	0E5652D0E200EC9CC1F58CBDB40690E6F98A08D3
SHA256:	46A4D503B31F1DC54B9BEDA9A12D91B382BF491E7B354FFA3DF174050B96D799
SSDEEP:	98304:R6CGu8MFZlu/gbH90KU+meINVq6rtto10wFsBojI9tXBnFeVjRP3H8YHx9IqVpFk:94f9dPiZg+jkAOggemz5o+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- BlankGrabber has been detected
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
- Adds path to the Windows Defender exclusion list
  - Update.exe (PID: 3880)
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2508)
  - bound.exe (PID: 1116)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7492)
  - Update2.exe (PID: 8656)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 7844)
  - cmd.exe (PID: 5984)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - MpCmdRun.exe (PID: 7956)
  - MpCmdRun.exe (PID: 8504)
  - cmd.exe (PID: 7336)
  - MpCmdRun.exe (PID: 6676)
- Create files in the Startup directory
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Windows Defender preferences modified via 'Set-MpPreference'
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Actions looks like stealing of personal data
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7216)
  - powershell.exe (PID: 8356)
  - powershell.exe (PID: 7892)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- DISCORDGRABBER has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- GROWTOPIA has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Stealers network behavior
  - bound.exe (PID: 1116)
  - Update.exe (PID: 3880)
- BLANKGRABBER has been detected (SURICATA)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 6788)
- Adds extension to the Windows Defender exclusion list
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
SUSPICIOUS
- Process drops legitimate windows executable
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
  - firefox.exe (PID: 3316)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 8656)
- The process drops C-runtime libraries
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
- Process drops python dynamic module
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
- Executable content was dropped or overwritten
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
  - csc.exe (PID: 7688)
  - csc.exe (PID: 8944)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 8656)
  - bound.exe (PID: 4976)
  - csc.exe (PID: 7860)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Starts a Microsoft application from unusual location
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
- Application launched itself
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7660)
  - Update2.exe (PID: 7460)
- Reads the date of Windows installation
  - Update.exe (PID: 6548)
- Loads Python modules
  - Update.exe (PID: 6548)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Reads security settings of Internet Explorer
  - Update.exe (PID: 6548)
- Starts CMD.EXE for commands execution
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
  - Update2.exe (PID: 6404)
  - Update2.exe (PID: 8656)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Found strings related to reading or modifying Windows Defender settings
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
  - Update2.exe (PID: 6404)
  - Update2.exe (PID: 8656)
- The executable file from the user directory is run by the CMD process
  - bound.exe (PID: 6680)
  - rar.exe (PID: 8528)
  - rar.exe (PID: 7828)
  - bound.exe (PID: 4976)
  - rar.exe (PID: 6828)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7336)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2508)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7492)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 7844)
  - cmd.exe (PID: 5984)
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 4048)
  - cmd.exe (PID: 4540)
  - cmd.exe (PID: 2264)
  - cmd.exe (PID: 2508)
  - cmd.exe (PID: 6436)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7492)
  - cmd.exe (PID: 7500)
  - cmd.exe (PID: 7944)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 5000)
  - cmd.exe (PID: 4688)
  - cmd.exe (PID: 7864)
  - cmd.exe (PID: 1244)
  - cmd.exe (PID: 5248)
  - cmd.exe (PID: 7400)
  - cmd.exe (PID: 8656)
  - cmd.exe (PID: 8248)
  - cmd.exe (PID: 7836)
  - cmd.exe (PID: 7336)
  - cmd.exe (PID: 7844)
  - cmd.exe (PID: 5984)
  - cmd.exe (PID: 8228)
  - cmd.exe (PID: 8380)
  - cmd.exe (PID: 8036)
  - cmd.exe (PID: 4756)
  - Build.exe (PID: 7248)
  - cmd.exe (PID: 8408)
  - cmd.exe (PID: 2964)
  - nfblozsybbjy.exe (PID: 6684)
- Get information on the list of running processes
  - cmd.exe (PID: 1448)
  - Update.exe (PID: 3880)
  - cmd.exe (PID: 4680)
  - cmd.exe (PID: 6684)
  - bound.exe (PID: 1116)
  - cmd.exe (PID: 7764)
  - cmd.exe (PID: 7716)
  - cmd.exe (PID: 8164)
  - Update2.exe (PID: 8656)
  - cmd.exe (PID: 6224)
  - cmd.exe (PID: 5092)
  - cmd.exe (PID: 3548)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 7924)
  - cmd.exe (PID: 5408)
  - cmd.exe (PID: 888)
  - cmd.exe (PID: 3696)
  - cmd.exe (PID: 9060)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 6936)
  - cmd.exe (PID: 8380)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 6312)
  - cmd.exe (PID: 6320)
  - cmd.exe (PID: 5532)
- Starts application with an unusual extension
  - cmd.exe (PID: 6596)
  - cmd.exe (PID: 7460)
  - cmd.exe (PID: 8100)
  - cmd.exe (PID: 7324)
  - cmd.exe (PID: 8588)
  - cmd.exe (PID: 9076)
  - cmd.exe (PID: 6592)
  - cmd.exe (PID: 8748)
  - cmd.exe (PID: 9012)
  - cmd.exe (PID: 8276)
  - cmd.exe (PID: 8560)
  - cmd.exe (PID: 9028)
  - cmd.exe (PID: 3356)
  - cmd.exe (PID: 864)
  - cmd.exe (PID: 3924)
  - cmd.exe (PID: 7312)
  - cmd.exe (PID: 8408)
  - cmd.exe (PID: 2144)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 4780)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 7076)
  - cmd.exe (PID: 6768)
  - cmd.exe (PID: 2040)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 7344)
  - cmd.exe (PID: 6728)
  - cmd.exe (PID: 3924)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 5044)
  - cmd.exe (PID: 8336)
  - cmd.exe (PID: 8736)
- Checks for external IP
  - svchost.exe (PID: 2256)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 9152)
  - cmd.exe (PID: 368)
  - cmd.exe (PID: 6956)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 7904)
  - cmd.exe (PID: 5000)
  - cmd.exe (PID: 4748)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 7544)
  - cmd.exe (PID: 2944)
- Potential Corporate Privacy Violation
  - firefox.exe (PID: 3316)
- Script adds exclusion extension to Windows Defender
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Process uninstalls Windows update
  - wusa.exe (PID: 6152)
  - wusa.exe (PID: 8320)
- Found regular expressions for crypto-addresses (YARA)
  - lf6o4T3T.exe (PID: 7524)
- Starts SC.EXE for service management
  - Build.exe (PID: 7248)
  - nfblozsybbjy.exe (PID: 6684)
- Executes as Windows Service
  - nfblozsybbjy.exe (PID: 6684)
- Drops a system driver (possible attempt to evade defenses)
  - nfblozsybbjy.exe (PID: 6684)
INFO
- Reads the computer name
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - bound.exe (PID: 6680)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Create files in a temporary directory
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
- Reads the machine GUID from the registry
  - Update.exe (PID: 6548)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- Checks supported languages
  - Update.exe (PID: 5088)
  - Update.exe (PID: 6548)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - bound.exe (PID: 1116)
  - tree.com (PID: 7256)
  - tree.com (PID: 7856)
- The process uses the downloaded file
  - Update.exe (PID: 6548)
- Process checks computer location settings
  - Update.exe (PID: 6548)
- Creates files in the program directory
  - Update.exe (PID: 3880)
  - bound.exe (PID: 1116)
- The Powershell gets current clipboard
  - powershell.exe (PID: 6800)
  - powershell.exe (PID: 7476)
  - powershell.exe (PID: 5180)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 4780)
- PyInstaller has been detected (YARA)
  - Update.exe (PID: 6764)
  - Update.exe (PID: 3880)
  - bound.exe (PID: 6680)
  - Update2.exe (PID: 7460)
  - Update2.exe (PID: 8656)
- Found Base64 encoded reflection usage via PowerShell (YARA)
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- UPX packer has been detected
  - Update.exe (PID: 3880)
  - Update2.exe (PID: 8656)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 8640)
  - getmac.exe (PID: 5044)
  - getmac.exe (PID: 8164)
- Manual execution by a user
  - firefox.exe (PID: 6756)
- Application launched itself
  - firefox.exe (PID: 6756)
  - firefox.exe (PID: 3316)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 3316)
- Attempting to use instant messaging service
  - Update.exe (PID: 3880)
  - svchost.exe (PID: 2256)
  - bound.exe (PID: 1116)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:09:18 17:35:55+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xcdb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.14393.0
ProductVersionNumber:	10.0.14393.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft\fsavailux
FileVersion:	10.0.14393.0 (rs1_release.160715-1616)
InternalName:	fsavailux.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	fsavailux.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.14393.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

479

Monitored processes

350

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

360

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

368

C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\cmd.exe

—

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

644

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

864

C:\WINDOWS\system32\cmd.exe /c "tree /A /F"

C:\Windows\System32\cmd.exe

—

Update2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

888

C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\cmd.exe

—

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1116

bound.exe

C:\Users\admin\AppData\Local\Temp\bound.exe

bound.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

DirectPlay Stub

Exit code:

Version:

10.0.14393.0 (rs1_release.160715-1616)

Modules

Images
c:\users\admin\appdata\local\temp\bound.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1124

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

1128

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

1148

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1244

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

140 473

Read events

140 457

Write events

Delete events

Modification events


(PID) Process:	(3880) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31
(PID) Process:	(8800) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31132922
(PID) Process:	(8800) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:
(PID) Process:	(3316) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(3316) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7548) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6788) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

107

Suspicious files

235

Text files

220

Unknown types

Dropped files

PID	Process	Filename		Type
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\bound.blank		—
		MD5:—	SHA256:—
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\VCRUNTIME140.dll		executable
		MD5:F34EB034AA4A9735218686590CBA2E8B	SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_lzma.pyd		executable
		MD5:864B22495372FA4D8B18E1C535962AE2	SHA256:FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_queue.pyd		executable
		MD5:BEBC7743E8AF7A812908FCB4CDD39168	SHA256:CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_bz2.pyd		executable
		MD5:FBA120A94A072459011133DA3A989DB2	SHA256:055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_socket.pyd		executable
		MD5:49F87AEC74FEA76792972022F6715C4D	SHA256:5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_hashlib.pyd		executable
		MD5:659A5EFA39A45C204ADA71E1660A7226	SHA256:B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_ssl.pyd		executable
		MD5:9A7AB96204E505C760921B98E259A572	SHA256:CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\_sqlite3.pyd		executable
		MD5:70A7050387359A0FAB75B042256B371F	SHA256:E168A1E229F57248253EAD19F60802B25DC0DBC717C9776E157B8878D2CA4F3D
5088	Update.exe	C:\Users\admin\AppData\Local\Temp\_MEI50882\python310.dll		executable
		MD5:4A6AFA2200B1918C413D511C5A3C041C	SHA256:BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

102

DNS requests

123

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3316	firefox.exe	POST	200	23.53.40.122:80	http://r10.o.lencr.org/	unknown	—	—	unknown
3316	firefox.exe	POST	200	23.53.40.122:80	http://r10.o.lencr.org/	unknown	—	—	unknown
3316	firefox.exe	POST	200	23.53.40.123:80	http://r11.o.lencr.org/	unknown	—	—	unknown
2120	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7360	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3316	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
7360	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4168	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3316	firefox.exe	POST	200	23.53.40.123:80	http://r11.o.lencr.org/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5212	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
3880	Update.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
1116	bound.exe	172.217.16.195:443	gstatic.com	GOOGLE	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7360	SIHClient.exe	20.114.59.183:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
google.com	142.250.185.78	whitelisted
gstatic.com	172.217.16.195 142.250.186.35	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
login.live.com	40.126.32.68 20.190.160.14 20.190.160.20 40.126.32.76 40.126.32.136 40.126.32.138 40.126.32.133 40.126.32.140	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
3880	Update.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2256	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2256	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
3880	Update.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2256	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3880	Update.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1116	bound.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
1116	bound.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1116	bound.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Update.exe

663678DC0BEF5DB3D7CD0C78AEEA7625

0E5652D0E200EC9CC1F58CBDB40690E6F98A08D3

46A4D503B31F1DC54B9BEDA9A12D91B382BF491E7B354FFA3DF174050B96D799

98304:R6CGu8MFZlu/gbH90KU+meINVq6rtto10wFsBojI9tXBnFeVjRP3H8YHx9IqVpFk:94f9dPiZg+jkAOggemz5o+j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BlankGrabber has been detected

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Create files in the Startup directory

Windows Defender preferences modified via 'Set-MpPreference'

Actions looks like stealing of personal data

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

DISCORDGRABBER has been detected (YARA)

GROWTOPIA has been detected (YARA)

Stealers network behavior

BLANKGRABBER has been detected (SURICATA)

Bypass User Account Control (ComputerDefaults)

Adds extension to the Windows Defender exclusion list

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Process drops python dynamic module

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Application launched itself

Reads the date of Windows installation

Loads Python modules

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Found strings related to reading or modifying Windows Defender settings

The executable file from the user directory is run by the CMD process

Script disables Windows Defender's real-time protection

Script disables Windows Defender's IPS

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

The process bypasses the loading of PowerShell profile settings

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

Uses SYSTEMINFO.EXE to read the environment

Possible usage of Discord/Telegram API has been detected (YARA)

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Checks for external IP

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Uses WMIC.EXE to obtain a list of video controllers

Uses REG/REGEDIT.EXE to modify registry

Uses WEVTUTIL.EXE to query events from a log or log file

Potential Corporate Privacy Violation

Script adds exclusion extension to Windows Defender

Process uninstalls Windows update

Found regular expressions for crypto-addresses (YARA)

Starts SC.EXE for service management

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

INFO

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Checks supported languages

The process uses the downloaded file

Process checks computer location settings

Creates files in the program directory

The Powershell gets current clipboard

Reads security settings of Internet Explorer

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

UPX packer has been detected