File name: | 031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin |
Full analysis: | https://app.any.run/tasks/c003d556-68dd-488e-a873-f226a1f33f27 |
Verdict: | Malicious activity |
Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
Analysis date: | April 15, 2025, 17:55:38 |
OS: | Windows 11 Professional (build: 22000, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
MD5: | 1A560E6AC1E56D6F1AA00E99132902B8 |
SHA1: | 2706E759A40EE5BA597AFDC050007A772D668D9B |
SHA256: | 031CB1C69DB095E0A56BA97E6D01924733D1ECA053FE58BCA57158FDB1A0EA78 |
SSDEEP: | 196608:437n/0JG7CZeywA2T9Xl4+9c1b41IccxomSPD7ejErUoY3PAXbsU1JynWr2:O7/37C8MQ9W+9QbecHAKEC3PAXbJ+nWy |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0008 |
ZipCompression: | Deflated |
ZipModifyDate: | 2025:03:17 14:13:00 |
ZipCRC: | 0xc76049c9 |
ZipCompressedSize: | 3061 |
ZipUncompressedSize: | 8944 |
ZipFileName: | lnstaIer.py |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
136 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4368 --field-trial-handle=2020,i,15865652212046538862,8466794488267120692,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.92 Modules
| |||||||||||||||
148 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1992,i,15637806676308580862,7101736284147317455,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.92 Modules
| |||||||||||||||
416 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
600 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3560,i,4581352578050688585,8812083709121872378,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:2 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 123.0.6312.86 Modules
| |||||||||||||||
820 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3928 --field-trial-handle=1992,i,15637806676308580862,7101736284147317455,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.92 Modules
| |||||||||||||||
864 | "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,4581352578050688585,8812083709121872378,262144 --variations-seed-version --mojo-platform-channel-handle=3108 /prefetch:1 | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 123.0.6312.86 Modules
| |||||||||||||||
988 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5192 --field-trial-handle=2020,i,15865652212046538862,8466794488267120692,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.92 Modules
| |||||||||||||||
1048 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\chrDA94.tmp /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\chrDA94.tmp\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x278,0x27c,0x280,0x270,0x288,0x7ffc733a5fd8,0x7ffc733a5fe4,0x7ffc733a5ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.92 Modules
| |||||||||||||||
1156 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1168 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\031cb1c69db095e0a56ba97e6d01924733d1eca053fe58bca57158fdb1a0ea78.bin.zip | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3568) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\lnstaIer.py | text | |
MD5:F82BFB01FA17B87134B14FC21DDACB74 | SHA256:5A2D8E648E3F4CBDCD32CBD2BB0BA48D10DE32FE14042E201A8BB7088CEFAD79 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._lnstaIer.py | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\archive.rpa | binary | |
MD5:3C8CB207B14F16245F8DA6893D334D18 | SHA256:3D8EA7DB91841F5AC40F8DBEC5345A3E2E213F147BA1BFAEC29BBEEC0458FDFE | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\._data | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._archive.rpa | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\script_version.txt | binary | |
MD5:5569A7FF423EA1F96B903A68457DC553 | SHA256:C376AAC0470C00F63804E0ED35E1B812DCC11C80CCFDFBFCF4CE2EBE02ACA6D7 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\data\.key | text | |
MD5:3EB2931CC49DB48E7C9D0AAE93DCDF91 | SHA256:46781D1A6BA1854828605C5173DC638CC725382AD828DED373C4D8870EFAEC74 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._cache | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._script_version.txt | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.6701\__MACOSX\data\._.key | binary | |
MD5:F948B9B7D71E8499AB0BB16298950D26 | SHA256:BD76F0B69D2D784E27371F3419E433B3AE02A62E9C860FB6514473E8339FB159 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1496 | smartscreen.exe | GET | 200 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fb0d43fa2dbc9d51 | unknown | — | — | whitelisted |
1496 | smartscreen.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
3640 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1352 | svchost.exe | GET | 200 | 88.221.110.216:80 | http://www.msftconnecttest.com/connecttest.txt | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?08d15ef3f08c448e | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2efe063e74f19306 | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?a373b5c2c52739f9 | unknown | — | — | whitelisted |
2768 | svchost.exe | GET | 200 | 199.232.214.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6fcbef6e9a78fd97 | unknown | — | — | whitelisted |
5508 | svchost.exe | GET | 200 | 109.107.165.124:80 | http://api.globalshimserv.top/76ece4d3ab5c60ead288414/9uaeqb17.m4tgq | unknown | — | — | — |
2988 | OfficeClickToRun.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1352 | svchost.exe | 88.221.110.147:80 | — | Akamai International B.V. | DE | unknown |
1496 | smartscreen.exe | 48.209.162.134:443 | checkappexec.microsoft.com | — | US | whitelisted |
1496 | smartscreen.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | whitelisted |
1496 | smartscreen.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
1480 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3640 | svchost.exe | 40.126.32.140:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3640 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
3952 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1352 | svchost.exe | 88.221.110.216:80 | — | Akamai International B.V. | DE | unknown |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
checkappexec.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
cloudflare-dns.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO Microsoft Connection Test |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
— | — | Misc activity | ET INFO Cloudflare DNS Over HTTPS Certificate Inbound |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |
Process | Message |
---|---|
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrA941.tmp directory exists )
|
msedge.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrBDC4.tmp directory exists )
|
msedge.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\chrDA94.tmp directory exists )
|