File name:

𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.zip

Full analysis: https://app.any.run/tasks/431c338d-aa72-430c-b423-0cb51b2782d6
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends TrackerΒ Β Β Β Β >>>
Analysis date: April 15, 2025, 17:56:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
hijackloader
loader
stealer
lumma
Indicators:
MIME: application/zip
File info: Zip archive data, at least v6.3 to extract, compression method=lzma
MD5:

ACD79737B3B7344FB2A34124512C1356

SHA1:

E67D5A3094B94AB885149B35C251AC80546EFE31

SHA256:

8770524D925F81625A85E76DFD5FB99730106B2842D8A6C4226BAA67B18C61A2

SSDEEP:

98304:8QYmnzwkJbvuy4xdSlfevLZQxSOpWafWZwPAMxTTmIr/mXLHK0uffD4G3uhHHIDX:drBWM7a7VGVycvQId7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • Setup.exe (PID: 516)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • Stealers network behavior

      • svchost.exe (PID: 2196)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7180)

    • Application launched itself

      • WinRAR.exe (PID: 7180)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 8068)
      • Setup.exe (PID: 516)

    • The process creates files with name similar to system file names

      • Setup.exe (PID: 516)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 516)

    • Starts a Microsoft application from unusual location

      • explorer.exe (PID: 4336)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 7324)
      • explorer.exe (PID: 4336)
      • slui.exe (PID: 8140)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8068)
      • Setup.exe (PID: 516)

    • Reads the computer name

      • Setup.exe (PID: 516)
      • explorer.exe (PID: 4336)

    • Creates files in the program directory

      • Setup.exe (PID: 516)

    • Create files in a temporary directory

      • Setup.exe (PID: 516)

    • Manual execution by a user

      • Setup.exe (PID: 516)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8068)

    • Checks supported languages

      • Setup.exe (PID: 516)
      • explorer.exe (PID: 4336)

    • Checks proxy server information

      • slui.exe (PID: 8140)
Find more information about signature artifacts and mapping to MITRE ATT&CKβ„’ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 63
ZipBitFlag: 0x0002
ZipCompression: LZMA (EFS)
ZipModifyDate: 2025:04:10 21:28:24
ZipCRC: 0xd23a1e7f
ZipCompressedSize: 1051544
ZipUncompressedSize: 7498166
ZipFileName: File Code --- 2025.rtf
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe slui.exe rundll32.exe no specs #HIJACKLOADER setup.exe explorer.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Setup.exe" C:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Setup.exe
explorer.exe
User:
admin
Company:
Sandboxie-Plus.com
Integrity Level:
MEDIUM
Description:
Sandboxie configuration file utility
Exit code:
0
Version:
5.67.3
Modules
Images
c:\users\admin\desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_pc!!#\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4336C:\Users\admin\AppData\Local\Temp\814156\explorer.exeC:\Users\admin\AppData\Local\Temp\814156\explorer.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.22621.4455 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\gxdhj
c:\users\admin\appdata\local\temp\814156\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7152C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exeβ€”svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7180"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.zipC:\Program Files\WinRAR\WinRAR.exeβ€”explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7292C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exeβ€”svchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7324"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msxml6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
8068"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa7180.19119\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.7zC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
8140C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5Β 405
Read events
5Β 356
Write events
36
Delete events
13

Modification events

(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\AppData\Local\Temp\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.zip
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Rar$DIa7180.19119\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.7z
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(8068)Β WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
7
Suspicious files
25
Text files
77
Unknown types
0

Dropped files

PID
Process
Filename
Type
7180WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7180.19119\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.7z β€”
MD5:β€”
SHA256:β€”
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\addcslashes_002.phpttext
MD5:0CF48D37F9D9AC302FF9468626D4ACB4
SHA256:F5E029447B549E4859481F8AF3F04BF2C97C9E7548DC57D1E229876D8EAEDE9E
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bignames.phpttext
MD5:7620659D634FE165C97DC5B8CD6F46E5
SHA256:9B563ED06EF599EE99BC4D5B703B84FD01352F67B839D5903F8BDE9485395718
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\BadClass.inctext
MD5:B581C133432ED8B963F64C2AF358A96B
SHA256:3AF900F020083E3C17F3C8E07973CB3B2E635FE1B96BC2BD610319AB9753C511
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bug53512.phpttext
MD5:0667B2610819BD8FD5F3E1DF1EA99083
SHA256:7E3207301F088C1946D98F5C9AD7A1B6CE7C420A38AE5A502648E6512E9D9726
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bug38474.phpttext
MD5:ADCE26453117A5C1FBFEE202AA229AB7
SHA256:F007D56672FD54E71297B4309DF3E6068EF30232D4B92B579653E871BCEB5876
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bug68591-conf-test-user.phpttext
MD5:6A5950221DBB0FE7068C956A72A7945C
SHA256:D3B824D31EEF8A194C63BE5DD77999FFCC69C0B010A95A0B0A196F9B9E94FF21
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bug78272.phpttext
MD5:85A6119615B287FFCFABD76EEA133FDD
SHA256:63F1C3D7F27B16CE48EA373D8CEBCD4865B141B0C65D358655629E645AEF44D1
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\bug64354_2.phpttext
MD5:810E5B8422C73E5547A6DA1B36944734
SHA256:24304CC4298ED078F11761D283551D64CCBE0027C43C9F17795A06D924B441BF
8068WinRAR.exeC:\Users\admin\Desktop\𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#\Data\dateformat_get_set_timezone_variant4.phpttext
MD5:FBB4C7302B6533008993FEF04DF32D70
SHA256:AD15DEB09CB84F00ADF2279D9CE58ABE2BA6EE88B711CD78B0C4A44F9C10E167
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
26
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.191:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
β€”
β€”
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
β€”
β€”
whitelisted
7900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
β€”
β€”
whitelisted
7900
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
β€”
β€”
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
β€”
β€”
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
β€”
β€”
192.168.100.255:137
β€”
β€”
β€”
whitelisted
4380
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.191:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
β€”
β€”
β€”
whitelisted
β€”
β€”
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
β€”
β€”
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.191
  • 23.48.23.183
  • 23.48.23.140
  • 23.48.23.189
  • 23.48.23.141
  • 23.48.23.142
  • 23.48.23.190
  • 23.48.23.133
  • 23.48.23.185
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.128
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
β€”
β€”
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (rhxhube .run)
β€”
β€”
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (jrxsafer .top)
β€”
β€”
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
β€”
β€”
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (krxspint .digital)
β€”
β€”
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (advennture .top)
β€”
β€”
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (krxspint .digital)
β€”
β€”
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jrxsafer .top)
β€”
β€”
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rhxhube .run)
β€”
β€”
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advennture .top)
β€”
β€”
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (grxeasyw .digital)
No debug info
Interactive malware hunting service ANY.RUN
Β© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
𝗗𝗒@π—ͺπ—‘π—Ÿπ—’π—”π——$_π—–π—’π— π—£π—Ÿπ—˜π—§π—˜ββ€–π—¦π—˜π—§βœ·π—–π—’π——π—˜_2025_PC!!#.zip