File name:

QuantumHacksv2.exe

Full analysis: https://app.any.run/tasks/9a97c048-911f-4d30-8fa3-cc5b0cfc47cd
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 01:59:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
stealer
lumma
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

AC2040D78A083A189723E1392A3428EE

SHA1:

AA8FE9D0108323673F8BA5D6043B3FA324A264CB

SHA256:

C1D24472DC3C469D7DBDA5CB07D46D22307C8D4F1118E498524E579F15EA9C35

SSDEEP:

98304:CbnKllghKmvuBPLIp0/o5Wt8COrAJEYk4ytWxuvQQWfgMnIhg4d25/aRh8WbsmvD:iPLXgQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • calc.exe (PID: 960)
      • calc.exe (PID: 616)

    • LUMMA mutex has been found

      • calc.exe (PID: 960)
      • calc.exe (PID: 616)

    • Actions looks like stealing of personal data

      • calc.exe (PID: 616)
      • calc.exe (PID: 960)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • QuantumHacksv2.exe (PID: 2088)

    • Executable content was dropped or overwritten

      • QuantumHacksv2.exe (PID: 2088)
      • 7z.exe (PID: 4008)
      • cmd.exe (PID: 6540)

    • Reads security settings of Internet Explorer

      • QuantumHacksv2.exe (PID: 2088)
      • WinRAR.exe (PID: 1616)

    • Starts CMD.EXE for commands execution

      • QuantumHacksv2.exe (PID: 2088)

    • Executing commands from a ".bat" file

      • QuantumHacksv2.exe (PID: 2088)

    • The executable file from the user directory is run by the CMD process

      • 7z.exe (PID: 5868)
      • 7z.exe (PID: 1056)
      • 7z.exe (PID: 2136)
      • svchost64.exe (PID: 5176)
      • 7z.exe (PID: 4008)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 6540)

    • There is functionality for taking screenshot (YARA)

      • QuantumHacksv2.exe (PID: 2088)
      • calc.exe (PID: 960)
      • calc.exe (PID: 616)

    • Searches for installed software

      • calc.exe (PID: 616)
      • calc.exe (PID: 960)

  • INFO

    • Checks supported languages

      • QuantumHacksv2.exe (PID: 2088)
      • mode.com (PID: 4892)
      • 7z.exe (PID: 5868)
      • 7z.exe (PID: 1056)
      • 7z.exe (PID: 2136)
      • 7z.exe (PID: 4008)
      • svchost64.exe (PID: 5176)
      • svchost64.exe (PID: 3768)

    • The sample compiled with english language support

      • QuantumHacksv2.exe (PID: 2088)

    • Create files in a temporary directory

      • QuantumHacksv2.exe (PID: 2088)
      • 7z.exe (PID: 5868)
      • 7z.exe (PID: 1056)
      • 7z.exe (PID: 2136)
      • 7z.exe (PID: 4008)

    • Reads the computer name

      • QuantumHacksv2.exe (PID: 2088)
      • 7z.exe (PID: 5868)
      • 7z.exe (PID: 1056)
      • 7z.exe (PID: 2136)
      • 7z.exe (PID: 4008)

    • Process checks computer location settings

      • QuantumHacksv2.exe (PID: 2088)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 4892)

    • Reads the software policy settings

      • calc.exe (PID: 960)
      • calc.exe (PID: 616)
      • slui.exe (PID: 4188)

    • Manual execution by a user

      • svchost64.exe (PID: 3768)
      • WinRAR.exe (PID: 4688)
      • OpenWith.exe (PID: 2692)
      • WinRAR.exe (PID: 1616)

    • Checks proxy server information

      • slui.exe (PID: 4188)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(960) calc.exe
C2 (9)mobitront.run/dsiu
parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
fishgh.digital/tequ
(PID) Process(616) calc.exe
C2 (9)mobitront.run/dsiu
parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
fishgh.digital/tequ
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:05:28 09:05:18+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 102400
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0x1945f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.67.1.0
ProductVersionNumber: 3.67.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: FileZilla Project
LegalCopyright: Copyright (C) 2006-2024
OriginalFileName: filezilla.exe
Comments: Version 3.67.1
FileVersion: 3.67.1.0
ProductName: FileZilla
ProductVersion: 3.67.1.0
InternalName: FileZilla 3
FileDescription: FileZilla FTP Client
Created: 7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
Builder: ahileeeeeess 00:40:20 29/04/2025
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
18
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start quantumhacksv2.exe cmd.exe conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs svchost64.exe no specs #LUMMA calc.exe svchost64.exe no specs #LUMMA calc.exe winrar.exe no specs winrar.exe no specs openwith.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
616"C:\windows\syswow64\calc.exe"C:\Windows\SysWOW64\calc.exe
svchost64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\calc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(616) calc.exe
C2 (9)mobitront.run/dsiu
parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
fishgh.digital/tequ
960"C:\windows\syswow64\calc.exe"C:\Windows\SysWOW64\calc.exe
svchost64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\calc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(960) calc.exe
C2 (9)mobitront.run/dsiu
parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
fishgh.digital/tequ
10567z.exe e extracted/file_3.zip -oextractedC:\Users\admin\AppData\Local\Temp\main\7z.execmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\main\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\file_2.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2088"C:\Users\admin\Desktop\QuantumHacksv2.exe" C:\Users\admin\Desktop\QuantumHacksv2.exe
explorer.exe
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3.67.1.0
Modules
Images
c:\users\admin\desktop\quantumhacksv2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
21367z.exe e extracted/file_2.zip -oextractedC:\Users\admin\AppData\Local\Temp\main\7z.execmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\main\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2692"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\AntiAV.dataC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3768"C:\Users\admin\Desktop\svchost64.exe" C:\Users\admin\Desktop\svchost64.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\svchost64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
40087z.exe e extracted/file_1.zip -oextractedC:\Users\admin\AppData\Local\Temp\main\7z.exe
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\local\temp\main\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 189
Read events
14 164
Write events
25
Delete events
0

Modification events

(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\file_1.zip
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4688) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1616) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
4
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2088QuantumHacksv2.exeC:\Users\admin\AppData\Local\Temp\main\file.bincompressed
MD5:94E17ACF936E453C0CFE3B76420D7FCF
SHA256:6D501C1F888870561B450B6CEAC0ADF18050F52D012CEA1C4FE036916BACE9E3
2088QuantumHacksv2.exeC:\Users\admin\AppData\Local\Temp\main\main.battext
MD5:AD15EC748259F4BD9686ABBBA5B29307
SHA256:D73A30F6C07753907FAF9FC135DADA507A8EDEA93351421EA6D10FDC9ACDE035
2088QuantumHacksv2.exeC:\Users\admin\AppData\Local\Temp\main\KillDuplicate.cmdtext
MD5:68CECDF24AA2FD011ECE466F00EF8450
SHA256:64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
6540cmd.exeC:\Users\admin\AppData\Local\Temp\main\file.bincompressed
MD5:94E17ACF936E453C0CFE3B76420D7FCF
SHA256:6D501C1F888870561B450B6CEAC0ADF18050F52D012CEA1C4FE036916BACE9E3
40087z.exeC:\Users\admin\AppData\Local\Temp\main\extracted\svchost64.exeexecutable
MD5:5E36978CE37CD85EE2DCFF0E330685EC
SHA256:7E5DD8554E22DCB9FEC7ACA7AAA6B5A61DC8B2A8C1E66B6A95CE99FC723F1CE1
10567z.exeC:\Users\admin\AppData\Local\Temp\main\extracted\file_2.zipcompressed
MD5:0392499ABBA75FBAC3866FFC3F6C24DE
SHA256:8E219E0181948DA5FA12DB426264C404C440124D55B3B2F93D6176B8EEBE3602
21367z.exeC:\Users\admin\AppData\Local\Temp\main\extracted\file_1.zipcompressed
MD5:CEA188BAA09A3AAEBD7A921F6632AD80
SHA256:74020A85EA3B0721960F02D64C1AF5C0BA4F3A8F00E2A8A04073C660D58994D0
6540cmd.exeC:\Users\admin\AppData\Local\Temp\main\svchost64.exeexecutable
MD5:5E36978CE37CD85EE2DCFF0E330685EC
SHA256:7E5DD8554E22DCB9FEC7ACA7AAA6B5A61DC8B2A8C1E66B6A95CE99FC723F1CE1
6540cmd.exeC:\Users\admin\AppData\Local\Temp\main\file.zipcompressed
MD5:94E17ACF936E453C0CFE3B76420D7FCF
SHA256:6D501C1F888870561B450B6CEAC0ADF18050F52D012CEA1C4FE036916BACE9E3
2088QuantumHacksv2.exeC:\Users\admin\AppData\Local\Temp\main\7z.dllexecutable
MD5:72491C7B87A7C2DD350B727444F13BB4
SHA256:34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
36
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
522
188.114.96.3:443
https://mobitront.run/dsiu
unknown
malicious
POST
522
188.114.97.3:443
https://mobitront.run/dsiu
unknown
malicious
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
32.7 Kb
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
69 b
POST
200
172.67.190.162:443
https://zenithcorde.top/auid
unknown
binary
69 b
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
69 b
POST
200
172.67.190.162:443
https://zenithcorde.top/auid
unknown
binary
69 b
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
10.7 Kb
POST
200
172.67.190.162:443
https://zenithcorde.top/auid
unknown
binary
69 b
POST
200
104.21.51.232:443
https://zenithcorde.top/auid
unknown
binary
69 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
960
calc.exe
188.114.97.3:443
mobitront.run
CLOUDFLARENET
NL
malicious
616
calc.exe
188.114.97.3:443
mobitront.run
CLOUDFLARENET
NL
malicious
960
calc.exe
104.21.51.232:443
zenithcorde.top
CLOUDFLARENET
unknown
616
calc.exe
104.21.51.232:443
zenithcorde.top
CLOUDFLARENET
unknown
5332
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4188
slui.exe
13.77.207.86:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
mobitront.run
  • 188.114.97.3
  • 188.114.96.3
malicious
zenithcorde.top
  • 104.21.51.232
  • 172.67.190.162
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 13.77.207.86
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
QuantumHacksv2.exe