Malware analysis Awp.exe Malicious activity | ANY.RUN

Add for printing

File name:	Awp.exe
Full analysis:	https://app.any.run/tasks/8e7bab5b-0480-47dd-84df-bcd2daa918f0
Verdict:	Malicious activity
Threats:	Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 17:18:22
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac blankgrabber evasion stealer screenshot discord
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	D524F4B58152463D7C54DCA9B1490557
SHA1:	5B4C904085B9AFA46BB103E46B42FBF5ED5E9EF8
SHA256:	C80C2D3E8D88F24336558C27649A587054A4344EA45F21F7FBB4545077C1FA0B
SSDEEP:	98304:j/0CLb/aohQRoomUyepmSPy4OuqOVCDmTaEucoHjCU1TruJkKfEIIWaudxNtImIk:vh+Snecvsj96MybKl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 4428)
  - Awp.exe (PID: 2108)
- BlankGrabber has been detected
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- Bypass User Account Control (ComputerDefaults)
  - ComputerDefaults.exe (PID: 5344)
- Bypass User Account Control (Modify registry)
  - reg.exe (PID: 6800)
- Adds path to the Windows Defender exclusion list
  - Awp.exe (PID: 2108)
  - cmd.exe (PID: 5556)
- Antivirus name has been found in the command line (generic signature)
  - cmd.exe (PID: 1452)
- Changes settings for sending potential threat samples to Microsoft servers
  - powershell.exe (PID: 2236)
- Changes Windows Defender settings
  - cmd.exe (PID: 5556)
  - cmd.exe (PID: 1452)
- Changes settings for real-time protection
  - powershell.exe (PID: 2236)
- Changes settings for reporting to Microsoft Active Protection Service (MAPS)
  - powershell.exe (PID: 2236)
- Changes settings for protection against network attacks (IPS)
  - powershell.exe (PID: 2236)
- Changes settings for checking scripts for malicious actions
  - powershell.exe (PID: 2236)
- Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
  - powershell.exe (PID: 2236)
- Changes Controlled Folder Access settings
  - powershell.exe (PID: 2236)
- Steals credentials from Web Browsers
  - Awp.exe (PID: 2108)
- Actions looks like stealing of personal data
  - Awp.exe (PID: 2108)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 8052)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 8152)
- Resets Windows Defender malware definitions to the base version
  - MpCmdRun.exe (PID: 7288)
- BLANKGRABBER has been detected (SURICATA)
  - Awp.exe (PID: 2108)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
  - csc.exe (PID: 7864)
- Starts a Microsoft application from unusual location
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 4428)
  - Awp.exe (PID: 2108)
- Process drops python dynamic module
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- Process drops legitimate windows executable
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- The process drops C-runtime libraries
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- Application launched itself
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- Starts CMD.EXE for commands execution
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 2108)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 1452)
  - cmd.exe (PID: 5112)
  - cmd.exe (PID: 536)
- Changes default file association
  - reg.exe (PID: 6800)
- Found strings related to reading or modifying Windows Defender settings
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 2108)
- Uses WEVTUTIL.EXE to query events from a log or log file
  - cmd.exe (PID: 5404)
  - cmd.exe (PID: 5116)
- Get information on the list of running processes
  - Awp.exe (PID: 2108)
  - cmd.exe (PID: 4988)
  - cmd.exe (PID: 7648)
  - cmd.exe (PID: 7792)
  - cmd.exe (PID: 7612)
- Script disables Windows Defender's IPS
  - cmd.exe (PID: 1452)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5556)
  - cmd.exe (PID: 1452)
  - cmd.exe (PID: 7752)
  - cmd.exe (PID: 8052)
  - cmd.exe (PID: 8128)
  - cmd.exe (PID: 1096)
  - cmd.exe (PID: 8092)
  - cmd.exe (PID: 7260)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 5556)
- Accesses product unique identifier via WMI (SCRIPT)
  - WMIC.exe (PID: 7228)
  - WMIC.exe (PID: 8004)
- Script disables Windows Defender's real-time protection
  - cmd.exe (PID: 1452)
- Executes JavaScript directly as a command
  - cmd.exe (PID: 6476)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 7700)
  - cmd.exe (PID: 7664)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 7416)
  - cmd.exe (PID: 7484)
  - cmd.exe (PID: 1760)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 7440)
  - WMIC.exe (PID: 7508)
  - WMIC.exe (PID: 7356)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 7912)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 7956)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 8052)
- Starts application with an unusual extension
  - cmd.exe (PID: 7864)
  - cmd.exe (PID: 7276)
  - cmd.exe (PID: 7332)
  - cmd.exe (PID: 7456)
  - cmd.exe (PID: 7536)
  - cmd.exe (PID: 7484)
- Accesses antivirus product name via WMI (SCRIPT)
  - WMIC.exe (PID: 7776)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 8052)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 8052)
- Checks for external IP
  - Awp.exe (PID: 2108)
  - svchost.exe (PID: 2196)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 7864)
- The executable file from the user directory is run by the CMD process
  - rar.exe (PID: 6872)
- Captures screenshot (POWERSHELL)
  - powershell.exe (PID: 8152)
- Accesses operating system name via WMI (SCRIPT)
  - WMIC.exe (PID: 7808)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 7476)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 5344)
INFO
- Checks supported languages
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 4428)
  - Awp.exe (PID: 2108)
  - tree.com (PID: 8100)
  - tree.com (PID: 7404)
  - tree.com (PID: 7220)
  - tree.com (PID: 7428)
  - tree.com (PID: 7516)
  - tree.com (PID: 7988)
  - csc.exe (PID: 7864)
  - cvtres.exe (PID: 7708)
  - rar.exe (PID: 6872)
  - MpCmdRun.exe (PID: 7288)
- The sample compiled with english language support
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
- Reads the computer name
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 4428)
  - Awp.exe (PID: 2108)
  - MpCmdRun.exe (PID: 7288)
- Create files in a temporary directory
  - Awp.exe (PID: 5256)
  - Awp.exe (PID: 2384)
  - Awp.exe (PID: 4428)
  - Awp.exe (PID: 2108)
  - csc.exe (PID: 7864)
  - MpCmdRun.exe (PID: 7288)
  - cvtres.exe (PID: 7708)
  - rar.exe (PID: 6872)
- Reads security settings of Internet Explorer
  - ComputerDefaults.exe (PID: 5344)
  - WMIC.exe (PID: 7228)
  - WMIC.exe (PID: 7508)
  - WMIC.exe (PID: 7440)
  - WMIC.exe (PID: 7776)
  - WMIC.exe (PID: 7808)
  - WMIC.exe (PID: 8004)
  - WMIC.exe (PID: 8096)
  - WMIC.exe (PID: 7356)
- Reads Internet Explorer settings
  - mshta.exe (PID: 1188)
- Checks the directory tree
  - tree.com (PID: 8100)
  - tree.com (PID: 7220)
  - tree.com (PID: 7428)
  - tree.com (PID: 7404)
  - tree.com (PID: 7516)
  - tree.com (PID: 7988)
- The Powershell gets current clipboard
  - powershell.exe (PID: 7832)
- Reads the machine GUID from the registry
  - csc.exe (PID: 7864)
  - rar.exe (PID: 6872)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 660)
  - powershell.exe (PID: 2236)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 660)
  - powershell.exe (PID: 2236)
  - powershell.exe (PID: 6592)
  - powershell.exe (PID: 7252)
- Displays MAC addresses of computer network adapters
  - getmac.exe (PID: 7524)
- Attempting to use instant messaging service
  - svchost.exe (PID: 2196)
  - Awp.exe (PID: 2108)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2025:05:17 15:55:42+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.43
CodeSize:	178688
InitializedDataSize:	104448
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	10.0.19041.3636
ProductVersionNumber:	10.0.19041.3636
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Windows Remote Assistance
FileVersion:	10.0.19041.3636 (WinBuild.160101.0800)
InternalName:	msra.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	msra.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.3636

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

224

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

computerdefaults --nouacbypass

C:\Windows\System32\ComputerDefaults.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Set Program Access and Computer Defaults Control Panel

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll

536

C:\WINDOWS\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"

C:\Windows\System32\cmd.exe

—

Awp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

660

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Awp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1056

"C:\WINDOWS\system32\ComputerDefaults.exe" --nouacbypass

C:\Windows\System32\ComputerDefaults.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Set Program Access and Computer Defaults Control Panel

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll

1096

C:\WINDOWS\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\cmd.exe

—

Awp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1188

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Hwid Error.', 0, 'Error 2810', 32+16);close()"

C:\Windows\System32\mshta.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll

1452

C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\AppData\Local\Temp\Awp.exe" /f"

C:\Windows\System32\cmd.exe

—

Awp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1452

C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\System32\cmd.exe

—

Awp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1672

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

1760

C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\cmd.exe

—

Awp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

54 606

Read events

54 594

Write events

Delete events

Modification events


(PID) Process:	(6800) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(5344) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(5344) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5344) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5344) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6388) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6388) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6388) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6388) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2108) Awp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:	write	Name:	1280x720x32(BGR 0)
Value: 31,31,31,31

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\VCRUNTIME140.dll		executable
		MD5:32DA96115C9D783A0769312C0482A62D	SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_asyncio.pyd		executable
		MD5:EBAA926303F81E8DB85D6523208B336E	SHA256:9F51191EBAFA85CA5AB3C9B78A85D814F39CCA12EF7A5A3CF09DE256E38C10B9
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_ssl.pyd		executable
		MD5:0940325D7409D9D7D06DEF700EA2B96E	SHA256:8E4490CB83A98BFE287FA188647EFB65040EC9B6B85C3E164A2F2B19ABD14560
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_hashlib.pyd		executable
		MD5:5F64EB23EED56E87B1E21F0790E59BA0	SHA256:FA251F61BAC1645FD9DB7FC0E392F57FCEDCDAE988FBF019EE934C82BCC01714
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_overlapped.pyd		executable
		MD5:C3D95DEDDAD7D4E6C891AB3DF5C0159A	SHA256:7103AEE3D458E6DA49366A6EC506B5174EF6FA13AB9107F078E873121D6C0232
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_lzma.pyd		executable
		MD5:04AE3BB5F79FC405C70AB54645778C5A	SHA256:9801BB857F2DC21AFDDCA82D1A1ED9567AD343C8C0A5137BC4BA804CAB1500A1
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_sqlite3.pyd		executable
		MD5:0EA6BB0D33C7BA53EA512292F03DC40D	SHA256:5F7733F7AB2473C9C34FCAAEC60F1329FC1B4A3EF24E338D076A8CD000E99B58
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_multiprocessing.pyd		executable
		MD5:4C511CA8FE446D24F623F07631A69C81	SHA256:AE3502EAE5006810DD3F958C151421D0B77A6294EADE51935744EC7DF3064514
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_socket.pyd		executable
		MD5:A3E17F70F84E2B890D6382076573103B	SHA256:079F88CB08B8FC0BBAA54CA679EC5F89463AD17A61F2ACE1CD9CB0D0098178A6
5256	Awp.exe	C:\Users\admin\AppData\Local\Temp\_MEI52562\_wmi.pyd		executable
		MD5:CC959A1C6686822F47460826FCB6B3F1	SHA256:5F9ACF702C1267D41DAB38863D4D28BDD1A49BEB1D2DC64E23ED0BC5141FF9D1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2108	Awp.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2108	Awp.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/?fields=225545	unknown	—	—	whitelisted
7544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	23.216.77.36:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2108	Awp.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
2108	Awp.exe	142.250.181.227:443	gstatic.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.216.77.36 23.216.77.35 23.216.77.15 23.216.77.6 23.216.77.42 23.216.77.13 23.216.77.8 23.216.77.37 23.216.77.18	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.185.142	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
blank-zr80c.in	—	unknown
ip-api.com	208.95.112.1	whitelisted
gstatic.com	142.250.181.227	whitelisted
login.live.com	20.190.160.20 20.190.160.4 20.190.160.64 20.190.160.130 40.126.32.76 20.190.160.14 20.190.160.66 40.126.32.136	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2108	Awp.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2196	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2108	Awp.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2108	Awp.exe	A Network Trojan was detected	STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
2196	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
2108	Awp.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2108	Awp.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com

Add for printing

No debug info

General Info

Awp.exe

D524F4B58152463D7C54DCA9B1490557

5B4C904085B9AFA46BB103E46B42FBF5ED5E9EF8

C80C2D3E8D88F24336558C27649A587054A4344EA45F21F7FBB4545077C1FA0B

98304:j/0CLb/aohQRoomUyepmSPy4OuqOVCDmTaEucoHjCU1TruJkKfEIIWaudxNtImIk:vh+Snecvsj96MybKl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

BlankGrabber has been detected

Bypass User Account Control (ComputerDefaults)

Bypass User Account Control (Modify registry)

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes settings for sending potential threat samples to Microsoft servers

Changes Windows Defender settings

Changes settings for real-time protection

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for protection against network attacks (IPS)

Changes settings for checking scripts for malicious actions

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes Controlled Folder Access settings

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Resets Windows Defender malware definitions to the base version

BLANKGRABBER has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Process drops python dynamic module

Process drops legitimate windows executable

The process drops C-runtime libraries

Application launched itself

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Get information on the list of running processes

Script disables Windows Defender's IPS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Accesses product unique identifier via WMI (SCRIPT)

Script disables Windows Defender's real-time protection

Executes JavaScript directly as a command

Uses WMIC.EXE to obtain Windows Installer data

Uses WMIC.EXE to obtain a list of video controllers

Accesses video controller name via WMI (SCRIPT)

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

BASE64 encoded PowerShell command has been detected

Starts application with an unusual extension

Accesses antivirus product name via WMI (SCRIPT)

Base64-obfuscated command line is found

The process bypasses the loading of PowerShell profile settings

Checks for external IP

CSC.EXE is used to compile C# code

The executable file from the user directory is run by the CMD process

Captures screenshot (POWERSHELL)

Accesses operating system name via WMI (SCRIPT)

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain operating system information

INFO

Checks supported languages

The sample compiled with english language support

Reads the computer name

Create files in a temporary directory

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Checks the directory tree

The Powershell gets current clipboard

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)