Malware analysis 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe Malicious activity

Add for printing

File name:	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe
Full analysis:	https://app.any.run/tasks/f159bab4-bb3a-49ef-ae36-8c77fa7aa13c
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 18:44:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto rat nanocore blankgrabber uac stealer screenshot evasion discord
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	026D70289A8B08A723428066E684329A
SHA1:	52E7F92BE6790ECE33E048C0376ADC7DC5EC0C49
SHA256:	4ABD471A2F7D3C996FB77F4EB35B9C2AB10A917B404A5A97866C61D3A03D3504
SSDEEP:	98304:g1T2QUyyxcXL+aw10YPfpqt3/bqpuzBytQfATlYhIZaHKK/IDPt5P/4mPpnMDLfQ:XYcN244a+nw29ekdN18h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- NANOCORE has been found (auto)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
- Executing a file with an untrusted certificate
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- BlankGrabber has been detected
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- Bypass User Account Control (Modify registry)
  - reg.exe (PID: 4608)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 1812)
- Adds path to the Windows Defender exclusion list
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - cmd.exe (PID: 6572)
  - cmd.exe (PID: 3676)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 4880)
- Changes Windows Defender settings
  - cmd.exe (PID: 6572)
  - cmd.exe (PID: 3676)
  - cmd.exe (PID: 4880)
- Changes settings for real-time protection
  - powershell.exe (PID: 4228)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 4228)
- Changes settings for reporting to Microsoft Active Protection Service (MAPS)
  - powershell.exe (PID: 4228)
- Changes Controlled Folder Access settings
  - powershell.exe (PID: 4228)
- Changes settings for protection against network attacks (IPS)
  - powershell.exe (PID: 4228)
- Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
  - powershell.exe (PID: 4228)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 4228)
- Steals credentials from Web Browsers
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Actions looks like stealing of personal data
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7588)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 7248)
- Changes the autorun value in the registry
  - bound.exe (PID: 1012)
- BLANKGRABBER has been detected (SURICATA)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Resets Windows Defender malware definitions to the base version
  - MpCmdRun.exe (PID: 1132)
SUSPICIOUS
- Starts a Microsoft application from unusual location
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6964)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Process drops legitimate windows executable
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- Executable content was dropped or overwritten
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - bound.exe (PID: 1012)
  - csc.exe (PID: 5048)
- Process drops python dynamic module
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- Application launched itself
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- The process drops C-runtime libraries
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 5400)
  - cmd.exe (PID: 1240)
  - cmd.exe (PID: 2320)
- Starts CMD.EXE for commands execution
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6964)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Changes default file association
  - reg.exe (PID: 4608)
- Found strings related to reading or modifying Windows Defender settings
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6964)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 856)
  - cmd.exe (PID: 3240)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 6572)
  - cmd.exe (PID: 3676)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 3676)
  - cmd.exe (PID: 6572)
  - cmd.exe (PID: 4880)
  - cmd.exe (PID: 6712)
  - cmd.exe (PID: 7248)
  - cmd.exe (PID: 4164)
  - cmd.exe (PID: 2332)
  - cmd.exe (PID: 7604)
  - cmd.exe (PID: 7324)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 4880)
- The executable file from the user directory is run by the CMD process
  - bound.exe (PID: 1012)
  - rar.exe (PID: 2416)
- Get information on the list of running processes
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - cmd.exe (PID: 4300)
  - cmd.exe (PID: 4428)
  - cmd.exe (PID: 5084)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 4880)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 7248)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 7248)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 7248)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 7176)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 3896)
  - cmd.exe (PID: 7784)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 3100)
- Starts application with an unusual extension
  - cmd.exe (PID: 5892)
  - cmd.exe (PID: 8088)
  - cmd.exe (PID: 7320)
  - cmd.exe (PID: 7336)
  - cmd.exe (PID: 8128)
  - cmd.exe (PID: 7372)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 7744)
- The process creates files with name similar to system file names
  - bound.exe (PID: 1012)
- Captures screenshot (POWERSHELL)
  - powershell.exe (PID: 7588)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 5048)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 668)
- Checks for external IP
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - svchost.exe (PID: 2196)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 8132)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 7908)
- Connects to unusual port
  - bound.exe (PID: 1012)
INFO
- Checks supported languages
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6964)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - bound.exe (PID: 1012)
  - tree.com (PID: 7724)
  - tree.com (PID: 8156)
  - tree.com (PID: 8120)
  - tree.com (PID: 7208)
  - tree.com (PID: 8176)
  - tree.com (PID: 7596)
  - csc.exe (PID: 5048)
  - cvtres.exe (PID: 2416)
- The sample compiled with english language support
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
- Reads the computer name
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - bound.exe (PID: 1012)
- Create files in a temporary directory
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 7020)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6964)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 2100)
  - 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe (PID: 6816)
  - cvtres.exe (PID: 2416)
  - csc.exe (PID: 5048)
- Reads security settings of Internet Explorer
  - ComputerDefaults.exe (PID: 1812)
  - WMIC.exe (PID: 7744)
- The Powershell gets current clipboard
  - powershell.exe (PID: 7516)
- Checks the directory tree
  - tree.com (PID: 7724)
  - tree.com (PID: 8156)
  - tree.com (PID: 7208)
  - tree.com (PID: 8120)
  - tree.com (PID: 7596)
  - tree.com (PID: 8176)
- Creates files or folders in the user directory
  - bound.exe (PID: 1012)
- Process checks whether UAC notifications are on
  - bound.exe (PID: 1012)
- Reads the machine GUID from the registry
  - bound.exe (PID: 1012)
  - csc.exe (PID: 5048)
- Creates files in the program directory
  - bound.exe (PID: 1012)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7772)
  - powershell.exe (PID: 7668)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6372)
  - powershell.exe (PID: 4228)
  - powershell.exe (PID: 960)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 812)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:04:07 16:03:45+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.42
CodeSize:	173568
InitializedDataSize:	95232
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.1
ProductVersionNumber:	10.0.19041.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	MultiUser Query Utility
FileVersion:	10.0.19041.1 (WinBuild.160101.0800)
InternalName:	query
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	query.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

250

Monitored processes

119

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

668

C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\cmd.exe

—

4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

812

getmac

C:\Windows\System32\getmac.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Displays NIC MAC information

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\getmac.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

856

C:\WINDOWS\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"

C:\Windows\System32\cmd.exe

—

4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

856

computerdefaults --nouacbypass

C:\Windows\System32\ComputerDefaults.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Set Program Access and Computer Defaults Control Panel

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll

960

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

960

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\bound.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1012

bound.exe

C:\Users\admin\AppData\Local\Temp\bound.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\bound.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1132

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

C:\Program Files\Windows Defender\MpCmdRun.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Malware Protection Command Line Utility

Exit code:

Version:

4.18.1909.6 (WinBuild.160101.0800)

Modules

Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

60 566

Read events

60 552

Write events

Delete events

Modification events


(PID) Process:	(4608) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(1812) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(1812) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1812) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1812) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2136) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2136) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2136) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2136) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2100) 4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\_bz2.pyd		executable
		MD5:94309558EB827E8315D0F201BBE7F2B1	SHA256:7857736CEFD36B645191871F7D7C9256E1C940788CC1978609248B562E8B40D4
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\_ctypes.pyd		executable
		MD5:FC40D41AFF12417142C0256E536B4A1A	SHA256:1846030E35037D8CBAACB640FA9AC99AF5D26C0AADC09E3C2AF04DB7CA7909DC
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\VCRUNTIME140.dll		executable
		MD5:862F820C3251E4CA6FC0AC00E4092239	SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\rarreg.key		text
		MD5:4531984CAD7DACF24C086830068C4ABE	SHA256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\libffi-8.dll		executable
		MD5:08B000C3D990BC018FCB91A1E175E06E	SHA256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\libcrypto-3.dll		executable
		MD5:8377FE5949527DD7BE7B827CB1FFD324	SHA256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\select.pyd		executable
		MD5:FBB31CB3990B267F9C5FB02D1AA21229	SHA256:3DC76F0FE7B46491914B75CC4DBFDFF06C571922E7021D975B6A37DF9B28E56A
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\libssl-3.dll		executable
		MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F	SHA256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\rar.exe		executable
		MD5:9C223575AE5B9544BC3D69AC6364F75E	SHA256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
7020	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	C:\Users\admin\AppData\Local\Temp\_MEI70202\_hashlib.pyd		executable
		MD5:933A6A12D695C7D91EF78A936AB229C7	SHA256:0D969EEC2E3931794F7349019B32EC80055414B80010BE3A6BA42A99B3319850

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7696	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7696	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6268	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
6268	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.138:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	142.250.186.131:443	gstatic.com	GOOGLE	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7696	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7696	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7696	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.110	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.138 23.48.23.141 23.48.23.194 23.48.23.150 23.48.23.140 23.48.23.156 23.48.23.139 23.48.23.147 23.48.23.159	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
gstatic.com	142.250.186.131	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
saw-bm.gl.at.ply.gg	147.185.221.17	unknown
detectportal.firefox.com	34.107.221.82	whitelisted

Threats

PID	Process	Class	Message
1012	bound.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
1012	bound.exe	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
1012	bound.exe	Misc activity	ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2100	4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check

Add for printing

No debug info

General Info

4abd471a2f7d3c996fb77f4eb35b9c2ab10a917b404a5a97866c61d3a03d3504.exe

026D70289A8B08A723428066E684329A

52E7F92BE6790ECE33E048C0376ADC7DC5EC0C49

4ABD471A2F7D3C996FB77F4EB35B9C2AB10A917B404A5A97866C61D3A03D3504

98304:g1T2QUyyxcXL+aw10YPfpqt3/bqpuzBytQfATlYhIZaHKK/IDPt5P/4mPpnMDLfQ:XYcN244a+nw29ekdN18h

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NANOCORE has been found (auto)

Executing a file with an untrusted certificate

BlankGrabber has been detected

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes Windows Defender settings

Changes settings for real-time protection

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes Controlled Folder Access settings

Changes settings for protection against network attacks (IPS)

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for checking scripts for malicious actions

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Changes the autorun value in the registry

BLANKGRABBER has been detected (SURICATA)

Resets Windows Defender malware definitions to the base version

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executable content was dropped or overwritten

Process drops python dynamic module

Application launched itself

The process drops C-runtime libraries

Uses REG/REGEDIT.EXE to modify registry

Starts CMD.EXE for commands execution

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Script disables Windows Defender's IPS

The executable file from the user directory is run by the CMD process

Get information on the list of running processes

Script disables Windows Defender's real-time protection

The process bypasses the loading of PowerShell profile settings

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Uses SYSTEMINFO.EXE to read the environment

Uses WMIC.EXE to obtain Windows Installer data

Uses NETSH.EXE to obtain data on the network

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

The process creates files with name similar to system file names

Captures screenshot (POWERSHELL)

CSC.EXE is used to compile C# code

Uses WMIC.EXE to obtain a list of video controllers

Checks for external IP

Uses WMIC.EXE to obtain operating system information

Uses WMIC.EXE to obtain computer system information

Connects to unusual port

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Reads security settings of Internet Explorer

The Powershell gets current clipboard

Checks the directory tree

Creates files or folders in the user directory

Process checks whether UAC notifications are on

Reads the machine GUID from the registry

Creates files in the program directory