File name:	lummaps1.zip
Full analysis:	https://app.any.run/tasks/086e6949-e34d-4614-9f8e-03fc50f13e5d
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 16:22:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-scr auto generic hijackloader loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	70ED92ED5A70E73D6DC19F1AFCD9AA18
SHA1:	D370D34E450BEC59D40A5FF7E2D7448A9A326132
SHA256:	277443C934C624EB4401CD04C57EF1AAE3306DD4CC3BCC782395F2055FA3A7C7
SSDEEP:	384:LdtU/LDMrzjLL1UmLEm/CHayVi0VoVuUQOhphYO:LPU/YjLLT3yeVCOh0O

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2025:05:15 16:14:06
ZipCRC:	0x8355915b
ZipCompressedSize:	12777
ZipUncompressedSize:	17777
ZipFileName:	0f6998c8df794ca2e22ac859bb5b5eabb30031e3f99510aa21a6352c220616a0.ps1


(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\lummaps1.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10cce7.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Quickhad.iwpn		abr
		MD5:F6CF6282BDD86CCC3CD4C4009632A0DA	SHA256:02B5E970698077A5A27162474E110132C267127EEEAC1876F56FDACD1FADA878
5116	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jncu4bvl.2us.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7ODN6K3C75M3PHAOE5P8.temp		binary
		MD5:B5B94A98E44FF969E5F03DA26513E939	SHA256:64EEA78A2943D2D994360B39BD051F35E30A26196BA5B12C1E77C248CCD0C143
5116	powershell.exe	C:\Users\admin\AppData\Roaming\lr9c3ado06l5gfgzh1wq0ypp6efit0ay.zip		compressed
		MD5:458646A38B3D235444B0771D4147DCDC	SHA256:B648B65DE6D26D79C47EC23A85D44FCCED61CE1C36371AFB28C021B1CDFA2B71
5116	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:3F95A05381C6D14195F6A1538F5FBADE	SHA256:0E753E9AD3EDE811C17D076B462F85321B8F559C2E462AF0990A1653573A525F
2240	AMatrix_Electro16.exe	C:\Users\admin\AppData\Local\Temp\F78A324.tmp		—
		MD5:—	SHA256:—
5116	powershell.exe	C:\Users\admin\AppData\Roaming\msvcp140.dll		executable
		MD5:9FF712C25312821B8AEC84C4F8782A34	SHA256:517CD3AAC2177A357CCA6032F07AD7360EE8CA212A02DD6E1301BF6CFADE2094
5116	powershell.exe	C:\Users\admin\AppData\Roaming\mfc140u.dll		executable
		MD5:453B2E03375665ED1242A089792A9A14	SHA256:B7B6D27B2D6A37B92F7B56AED8812FBCA6D47784988B6F790A016AAD3F0C1D28
2240	AMatrix_Electro16.exe	C:\ProgramData\writerUltra\msvcp140.dll		executable
		MD5:9FF712C25312821B8AEC84C4F8782A34	SHA256:517CD3AAC2177A357CCA6032F07AD7360EE8CA212A02DD6E1301BF6CFADE2094

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5116	powershell.exe	74.112.186.157:443	app.box.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5116	powershell.exe	74.112.186.164:443	public.boxcloud.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
6028	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6028	SIHClient.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
6028	SIHClient.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
6028	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
app.box.com	74.112.186.157	whitelisted
public.boxcloud.com	74.112.186.164	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

lummaps1.zip

70ED92ED5A70E73D6DC19F1AFCD9AA18

D370D34E450BEC59D40A5FF7E2D7448A9A326132

277443C934C624EB4401CD04C57EF1AAE3306DD4CC3BCC782395F2055FA3A7C7

384:LdtU/LDMrzjLL1UmLEm/CHayVi0VoVuUQOhphYO:LPU/YjLLT3yeVCOh0O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Bypass execution policy to execute commands

GENERIC has been found (auto)

HIJACKLOADER has been detected (YARA)

Executing a file with an untrusted certificate

SUSPICIOUS

Converts a specified value to a byte (POWERSHELL)

Extracts files to a directory (POWERSHELL)

Gets file extension (POWERSHELL)

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

INFO

Manual execution by a user

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

Uses string replace method (POWERSHELL)

Disables trace logs

Converts byte array into ASCII string (POWERSHELL)

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

The sample compiled with english language support

Checks supported languages

Creates files in the program directory

Creates files or folders in the user directory

Reads the computer name

Create files in a temporary directory

The sample compiled with chinese language support

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings