URL:

https://haxpc.net/ccleaner/

Full analysis: https://app.any.run/tasks/3a8bbb22-bd45-4054-a3ce-f75861bf7713
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 27, 2026, 23:25:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
phishing
lumma
stealer
fingerprinting
golang
Indicators:
MD5:

C3D92674A5DC96199532F4137C40F386

SHA1:

5BB3FDBFD0E9FC5245B1F7FAD180364A38A86540

SHA256:

3E8313A60F7667E0F27C063D63876CFB37E6C888D1332691176E8B71E8650E5D

SSDEEP:

3:N84ML0KRJArK:24ML0gT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 7792)

    • Executing a file with an untrusted certificate

      • ws-Setup-Complete.exe (PID: 3412)
      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • LUMMA mutex has been found

      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • LUMMA has been detected (SURICATA)

      • chrome.exe (PID: 5204)
      • svchost.exe (PID: 2232)
      • chrome.exe (PID: 7300)
      • chrome.exe (PID: 2524)
      • chrome.exe (PID: 4684)

    • LUMMA has been detected (YARA)

      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • Steals credentials from Web Browsers

      • ws-Setup-Complete.exe (PID: 7992)

  • SUSPICIOUS

    • Canvas fingerprinting is present

      • chrome.exe (PID: 9116)
      • chrome.exe (PID: 8392)
      • chrome.exe (PID: 5964)

    • WebGL fingerprinting is present

      • chrome.exe (PID: 8948)

    • Potential Corporate Privacy Violation

      • msedge.exe (PID: 7792)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2232)
      • chrome.exe (PID: 5204)
      • chrome.exe (PID: 2524)
      • chrome.exe (PID: 7300)
      • chrome.exe (PID: 4684)

    • Possible stealing from crypto wallets

      • ws-Setup-Complete.exe (PID: 7992)

    • Possible stealing from 2fa

      • ws-Setup-Complete.exe (PID: 7992)

    • Possible stealing from password managers

      • ws-Setup-Complete.exe (PID: 7992)

    • Possible stealing from notes

      • ws-Setup-Complete.exe (PID: 7992)

    • Possible stealing from browsers

      • ws-Setup-Complete.exe (PID: 7992)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 5284)
      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • Checks supported languages

      • identity_helper.exe (PID: 5284)
      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 4680)

    • Application launched itself

      • msedge.exe (PID: 4680)
      • chrome.exe (PID: 9116)
      • chrome.exe (PID: 8948)
      • chrome.exe (PID: 8392)
      • chrome.exe (PID: 5964)

    • Reads Environment values

      • identity_helper.exe (PID: 5284)

    • Manual execution by a user

      • WinRAR.exe (PID: 6944)
      • WinRAR.exe (PID: 1972)
      • ws-Setup-Complete.exe (PID: 3412)
      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6944)

    • There is functionality for taking screenshot (YARA)

      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)

    • Application based on Golang

      • ws-Setup-Complete.exe (PID: 7992)
      • ws-Setup-Complete.exe (PID: 8452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7992) ws-Setup-Complete.exe
C2 (9)carytui.vu/caccc
decrnoj.club/xxx
diplokb.cyou
genugsq.best/main
longmbx.click/manifest
mushxhb.best/info
pomflgf.vu/help
strikql.shop/owner
ulmudhw.shop/create
ChaCha20
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter2
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter0
Strings (37)%ProgramFiles%\
/dp.txt
/leveldb
;:9876543210/.-,+*)('&%$#
Account
ChromiumDev
Content-Disposition: form-data; name="file"; filename="
Content-Type: multipart/form-data; boundary=
Cookie: __cf_mw_byp=
Discord
DiscordCanary
DisplayName
Install Date:
InstallLocation
Login Data
Login Data For Account
Mails/Windows Mail
Mails/Windows Mail Alternative
NtQueryVirtualMemory
Operation System:
Password
ROOT\CIMV2
SeImpersonatePrivilege
SerialNumber
Web Data
\Application\
\LocalState\Indexed\LiveComm\
\Microsoft\Windows Mail\Local Folders
\Packages
\key4.db
^userContextId=4294967295\idb
eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0
https://steamcommunity.com/profiles/76561199880317058
microsoft.windowscommunicationsapps*
name="atok" value="
ntdll.dll
steam.exe
C2 (9)carytui.vu/caccc
decrnoj.club/xxx
diplokb.cyou
genugsq.best/main
longmbx.click/manifest
mushxhb.best/info
pomflgf.vu/help
strikql.shop/owner
ulmudhw.shop/create
ChaCha20
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter0
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter2
Strings (37)%ProgramFiles%\
/dp.txt
/leveldb
;:9876543210/.-,+*)('&%$#
Account
ChromiumDev
Content-Disposition: form-data; name="file"; filename="
Content-Type: multipart/form-data; boundary=
Cookie: __cf_mw_byp=
Discord
DiscordCanary
DisplayName
Install Date:
InstallLocation
Login Data
Login Data For Account
Mails/Windows Mail
Mails/Windows Mail Alternative
NtQueryVirtualMemory
Operation System:
Password
ROOT\CIMV2
SeImpersonatePrivilege
SerialNumber
Web Data
\Application\
\LocalState\Indexed\LiveComm\
\Microsoft\Windows Mail\Local Folders
\Packages
\key4.db
^userContextId=4294967295\idb
eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0
https://steamcommunity.com/profiles/76561199880317058
microsoft.windowscommunicationsapps*
name="atok" value="
ntdll.dll
steam.exe
(PID) Process(8452) ws-Setup-Complete.exe
C2 (9)carytui.vu/caccc
decrnoj.club/xxx
diplokb.cyou
genugsq.best/main
longmbx.click/manifest
mushxhb.best/info
pomflgf.vu/help
strikql.shop/owner
ulmudhw.shop/create
ChaCha20
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter2
key0JU4QL22Q5eh0Ef+u0QCcLgdGmfzhxzYnCGOhsr7nRY=
nonceuZefmY6lwdM=
counter0
Strings (37)%ProgramFiles%\
/dp.txt
/leveldb
;:9876543210/.-,+*)('&%$#
Account
ChromiumDev
Content-Disposition: form-data; name="file"; filename="
Content-Type: multipart/form-data; boundary=
Cookie: __cf_mw_byp=
Discord
DiscordCanary
DisplayName
Install Date:
InstallLocation
Login Data
Login Data For Account
Mails/Windows Mail
Mails/Windows Mail Alternative
NtQueryVirtualMemory
Operation System:
Password
ROOT\CIMV2
SeImpersonatePrivilege
SerialNumber
Web Data
\Application\
\LocalState\Indexed\LiveComm\
\Microsoft\Windows Mail\Local Folders
\Packages
\key4.db
^userContextId=4294967295\idb
eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0
https://steamcommunity.com/profiles/76561199880317058
microsoft.windowscommunicationsapps*
name="atok" value="
ntdll.dll
steam.exe
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
81
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs #PHISHING msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs ws-setup-complete.exe no specs #LUMMA ws-setup-complete.exe chrome.exe chrome.exe no specs chrome.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs #LUMMA chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs #LUMMA ws-setup-complete.exe msedge.exe no specs msedge.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3776,i,2291041261890223984,8883065268792089662,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3852 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
932"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2264,i,7666756666565138830,12891362274351327606,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2384 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1604"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffe256bf208,0x7ffe256bf214,0x7ffe256bf220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1972"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\«YursFileReady_PassWÖrdIŜ__««2319»»__».7z" C:\Users\admin\Downloads\«YursFileReady_PassWÖrdIŜ__««2319»»__»\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffe2167fff8,0x7ffe21680004,0x7ffe21680010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --disable-quic --string-annotations --field-trial-handle=4716,i,7666756666565138830,12891362274351327606,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4724 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2292"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,2291041261890223984,8883065268792089662,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3144 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5316,i,9475668956099915015,8681861741790933943,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5884,i,9475668956099915015,8681861741790933943,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=1352 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 385
Read events
4 360
Write events
12
Delete events
13

Modification events

(PID) Process:(1972) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1972) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1972) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1972) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:13
Value:
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:12
Value:
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:11
Value:
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:10
Value:
Executable files
2
Suspicious files
138
Text files
303
Unknown types
0

Dropped files

PID
Process
Filename
Type
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF15963e.TMP
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF15964e.TMP
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF15965e.TMP
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF15965e.TMP
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF15967d.TMP
MD5:
SHA256:
4680msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
334
TCP/UDP connections
191
DNS requests
177
Threats
73

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/uploads/2026/04/ccleaner-logo.avif
US
binary
4.26 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/uploads/2023/12/Microsoft-Office-2024-Cover-2.avif
US
binary
4.35 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/plugins/perfmatters/js/analytics-minimal-v4.js?ver=ca272d8b4096
US
text
2.94 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/uploads/2026/04/windows-11-logo.avif
US
binary
1.93 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/uploads/2024/12/Resolume-Arena-Cover.avif
US
binary
9.05 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/uploads/2023/07/Wondershare-PDFelement-Professional-Cover.avif
US
binary
5.93 Kb
unknown
7792
msedge.exe
GET
200
104.17.15.101:443
https://haxpc.net/wp-content/plugins/lazy-load-for-comments/build/frontend.js?ver=3d12db661b36
US
text
2.28 Kb
unknown
7792
msedge.exe
GET
302
104.17.15.101:443
https://haxpc.net/cdn-cgi/challenge-platform/scripts/jsd/main.js
US
unknown
7792
msedge.exe
GET
304
104.17.15.101:443
https://haxpc.net/ccleaner/
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5624
svchost.exe
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.209.138.168:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.204.135:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
23.11.40.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 48.209.138.168
  • 57.153.246.3
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.106
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 2.16.204.135
  • 2.16.204.141
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
google.com
  • 142.251.20.113
  • 142.251.20.100
  • 142.251.20.139
  • 142.251.20.101
  • 142.251.20.138
  • 142.251.20.102
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted

Threats

PID
Process
Class
Message
7792
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
7792
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
7792
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
7792
msedge.exe
Misc activity
ET INFO Observed DNS Query to .cfd TLD
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (mega .nz)
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
7792
msedge.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (mega .nz)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://haxpc.net/ccleaner/