File name:

Roblox Premium Hack 2025.exe

Full analysis: https://app.any.run/tasks/7fef1a60-32ff-4d4c-8c7a-ffd78bc9a99d
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 11:50:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 4 sections
MD5:

E80AF1F40B3C618549CFC46AF7C473CC

SHA1:

C50F7510203B959F02431E4B8CAC49BF4455DC44

SHA256:

787201084E3FBDA03174AF5F0B2E1046122F19CE050E7DE5FFA5F1F45D46B44A

SSDEEP:

12288:3sAEP5iF2oO1HYJiynAHuZ2fLo5UKnjdtXK8Fag0otXo:d+iF61HYJiyAHuEfM5UajdtXK8Ig0V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Roblox Premium Hack 2025.exe (PID: 6296)

    • LUMMA mutex has been found

      • Roblox Premium Hack 2025.exe (PID: 6456)

  • SUSPICIOUS

    • Application launched itself

      • Roblox Premium Hack 2025.exe (PID: 6296)

    • Executes application which crashes

      • Roblox Premium Hack 2025.exe (PID: 6296)

  • INFO

    • Reads the computer name

      • Roblox Premium Hack 2025.exe (PID: 6296)
      • Roblox Premium Hack 2025.exe (PID: 6456)

    • Checks supported languages

      • Roblox Premium Hack 2025.exe (PID: 6296)
      • Roblox Premium Hack 2025.exe (PID: 6456)

    • .NET Reactor protector has been detected

      • Roblox Premium Hack 2025.exe (PID: 6296)

    • Reads the software policy settings

      • WerFault.exe (PID: 6664)

    • Checks proxy server information

      • WerFault.exe (PID: 6664)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2095:12:18 02:19:30+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 130048
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x21a3e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Handler
FileVersion: 1.0.0.0
InternalName: Handler.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: Handler.exe
ProductName: Handler
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start roblox premium hack 2025.exe #LUMMA roblox premium hack 2025.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\AppData\Local\Temp\Roblox Premium Hack 2025.exe" C:\Users\admin\AppData\Local\Temp\Roblox Premium Hack 2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Handler
Exit code:
3221226505
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\roblox premium hack 2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6456"C:\Users\admin\AppData\Local\Temp\Roblox Premium Hack 2025.exe"C:\Users\admin\AppData\Local\Temp\Roblox Premium Hack 2025.exe
Roblox Premium Hack 2025.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Handler
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\roblox premium hack 2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6664C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6296 -s 844C:\Windows\SysWOW64\WerFault.exe
Roblox Premium Hack 2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 625
Read events
3 625
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
6664WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Roblox Premium H_405b5ff88d679622fc4b663647511228cae65427_88b2540c_3f81064b-6bcd-4bd6-9e74-7c2f3ef1f613\Report.wer
MD5:
SHA256:
6664WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Roblox Premium Hack 2025.exe.6296.dmp
MD5:
SHA256:
6664WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7544.tmp.WERInternalMetadata.xmlxml
MD5:5AB70B0FB65D209F49148B12E85C5831
SHA256:9DF67EE81831CB01F920D9950775ABF022732C99BEDAEA1F8548CCD0268DF401
6664WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6ECA.tmp.dmpbinary
MD5:3FC1C2D5F1C4174ED81CBB8B724421A0
SHA256:872F540D01E759AD1793826157F4799810DD2FCD75A5B1992847F3C78D22921E
6664WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEder
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6664WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER764E.tmp.xmlxml
MD5:B2C7530D8DFDE136F1DFB8D5485A7FCA
SHA256:4D4DBE87C67768984EE7F3C17C85A3911B7FCCF059FDA360F91125297AB57F72
6664WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:4B41661751965EB5D97B3A6BC0A6B5BB
SHA256:148489429F30350C5350045C8BF749F0DF7E9FA9FAD8C72AF1CDCDEC41A6EDF1
6664WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
6664WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:18F82360ADB0E49362AB44E8C5AC8D35
SHA256:346ED3B693C95905523AEEAF932F32684CAC2B9F07DB520303F5C33F78D9842A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
313 b
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
6664
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
6664
WerFault.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
3952
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
6352
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
3952
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4308
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.208
  • 2.23.227.221
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.110
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.169
  • 23.48.23.180
  • 23.48.23.191
  • 23.48.23.181
  • 23.48.23.137
  • 23.48.23.178
  • 23.48.23.194
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.159
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
sobrattyeu.bond
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.64.1
malicious
login.live.com
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.68
whitelisted
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Roblox Premium Hack 2025.exe