URL:

https://rostirollaconsultoria.com.br/desktop/

Full analysis: https://app.any.run/tasks/8633d231-91db-4e3d-bc4a-329744c36d11
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 25, 2025, 11:15:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MD5:

9A7C1EC7446B5DC81198C4CC078E30B6

SHA1:

62F7C1DC8A3F271197DF23D5670EF5537A3E5B69

SHA256:

0B88D8C44D1924C5AFF542FA005D627464281E33DD1283B76B218D24528520CB

SSDEEP:

3:N8PLEGMfMGKIuZVKn:2Pw6GKIOK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TradingView Premium Desktop.exe (PID: 3620)
      • TradingView Premium Desktop.exe (PID: 3132)
      • TradingView Premium Desktop.exe (PID: 8648)

    • AutoIt loader has been detected (YARA)

      • Vacations.com (PID: 8504)
      • Vacations.com (PID: 5972)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • Vacations.com (PID: 8504)
      • Vacations.com (PID: 5972)
      • Vacations.com (PID: 8836)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 8724)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 8724)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 8724)

    • Application launched itself

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 4276)

    • Executing commands from a ".bat" file

      • TradingView Premium Desktop.exe (PID: 3620)
      • TradingView Premium Desktop.exe (PID: 3132)
      • TradingView Premium Desktop.exe (PID: 8648)

    • Starts CMD.EXE for commands execution

      • TradingView Premium Desktop.exe (PID: 3620)
      • cmd.exe (PID: 4300)
      • TradingView Premium Desktop.exe (PID: 3132)
      • cmd.exe (PID: 9168)
      • TradingView Premium Desktop.exe (PID: 8648)
      • cmd.exe (PID: 4276)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 4276)

    • Get information on the list of running processes

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 4276)

    • The executable file from the user directory is run by the CMD process

      • Vacations.com (PID: 8504)
      • Vacations.com (PID: 5972)
      • Vacations.com (PID: 8836)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 4276)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4300)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 4276)

    • Contacting a server suspected of hosting an CnC

      • Vacations.com (PID: 8504)
      • svchost.exe (PID: 2196)
      • Vacations.com (PID: 5972)
      • Vacations.com (PID: 8836)

    • There is functionality for taking screenshot (YARA)

      • Vacations.com (PID: 5972)
      • Vacations.com (PID: 8504)
      • Vacations.com (PID: 8836)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 8356)

    • Reads Environment values

      • identity_helper.exe (PID: 8356)

    • Application launched itself

      • msedge.exe (PID: 5304)

    • Reads the computer name

      • identity_helper.exe (PID: 8356)

    • Manual execution by a user

      • WinRAR.exe (PID: 8632)
      • WinRAR.exe (PID: 8724)
      • TradingView Premium Desktop.exe (PID: 3620)
      • TradingView Premium Desktop.exe (PID: 3132)
      • TradingView Premium Desktop.exe (PID: 8648)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 8724)
      • msedge.exe (PID: 5124)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 8724)
      • msedge.exe (PID: 5124)

    • Reads the software policy settings

      • slui.exe (PID: 8260)

    • The sample compiled with arabic language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with bulgarian language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with russian language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with czech language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with german language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with Italian language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with spanish language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with japanese language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with korean language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with polish language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with slovak language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with swedish language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with turkish language support

      • WinRAR.exe (PID: 8724)

    • Creates a new folder

      • cmd.exe (PID: 8208)
      • cmd.exe (PID: 8180)
      • cmd.exe (PID: 8240)

    • The sample compiled with portuguese language support

      • WinRAR.exe (PID: 8724)

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 8724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
244
Monitored processes
103
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs winrar.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs slui.exe filecoauth.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sechealthui.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs securityhealthhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tradingview premium desktop.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA vacations.com choice.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tradingview premium desktop.exe cmd.exe no specs conhost.exe no specs #LUMMA svchost.exe tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA vacations.com choice.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tradingview premium desktop.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA vacations.com choice.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
496"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1580 --field-trial-handle=2572,i,14220808919663996426,17616851898488248143,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
540cmd /c copy /b 692409\Vacations.com + Phentermine + Supporting + Programme + Landing + Informed + Yukon + Sheriff + Nl + Aggregate 692409\Vacations.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2572,i,14220808919663996426,17616851898488248143,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904cmd /c copy /b 692409\Vacations.com + Phentermine + Supporting + Programme + Landing + Informed + Yukon + Sheriff + Nl + Aggregate 692409\Vacations.comC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1912C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2244"C:\WINDOWS\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mcaC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender application
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.sechealthui_cw5n1h2txyewy\sechealthui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
2896tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2984"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2736 --field-trial-handle=2572,i,14220808919663996426,17616851898488248143,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 988
Read events
11 964
Write events
24
Delete events
0

Modification events

(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5304) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
39182ABB2E922F00
(PID) Process:(5304) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
5D3A34BB2E922F00
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262796
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2C3D9F30-639C-43FD-AC72-02A7DE12F852}
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262796
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9123F2E7-0B25-49BF-94AB-2B8F724BB131}
(PID) Process:(5304) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262796
Operation:writeName:WindowTabManagerFileMappingId
Value:
{75DA1567-6C41-4175-B3B2-25A69B8617B9}
(PID) Process:(5304) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
3D5964BB2E922F00
Executable files
969
Suspicious files
1 366
Text files
659
Unknown types
1

Dropped files

PID
Process
Filename
Type
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b383.TMP
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b3b2.TMP
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b3b2.TMP
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b3b2.TMP
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b3b2.TMP
MD5:
SHA256:
5304msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
92
DNS requests
107
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
9204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
9204
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8516
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1746052098&P2=404&P3=2&P4=CyN3K93Ix8oQvLgTrL3nZXyR9T5qe4XMIZRD%2bOv3vuNzYEkyRws1dOelPGKNQNQ7dXfM%2fN3BCxweC5LbvnJI5w%3d%3d
unknown
whitelisted
8516
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1746052098&P2=404&P3=2&P4=CyN3K93Ix8oQvLgTrL3nZXyR9T5qe4XMIZRD%2bOv3vuNzYEkyRws1dOelPGKNQNQ7dXfM%2fN3BCxweC5LbvnJI5w%3d%3d
unknown
whitelisted
8516
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1746052098&P2=404&P3=2&P4=CyN3K93Ix8oQvLgTrL3nZXyR9T5qe4XMIZRD%2bOv3vuNzYEkyRws1dOelPGKNQNQ7dXfM%2fN3BCxweC5LbvnJI5w%3d%3d
unknown
whitelisted
8516
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1746052098&P2=404&P3=2&P4=CyN3K93Ix8oQvLgTrL3nZXyR9T5qe4XMIZRD%2bOv3vuNzYEkyRws1dOelPGKNQNQ7dXfM%2fN3BCxweC5LbvnJI5w%3d%3d
unknown
whitelisted
8516
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1746052098&P2=404&P3=2&P4=CyN3K93Ix8oQvLgTrL3nZXyR9T5qe4XMIZRD%2bOv3vuNzYEkyRws1dOelPGKNQNQ7dXfM%2fN3BCxweC5LbvnJI5w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7384
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5304
msedge.exe
239.255.255.250:1900
whitelisted
7384
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7384
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
rostirollaconsultoria.com.br
  • 108.179.193.144
unknown
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
  • 150.171.30.11
  • 150.171.29.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 23.53.40.8
  • 23.53.40.56
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quilltayle .live)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (piratetwrath .run)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nighetwhisper .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starofliught .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (salaccgfa .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (liftally .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zestmodp .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (changeaie .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wolverineas .top)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://rostirollaconsultoria.com.br/desktop/