File name:

1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2

Full analysis: https://app.any.run/tasks/38c578bb-adde-4ed7-b340-1c9db08d375d
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: March 31, 2025, 00:20:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rhadamanthys
stealer
lumma
shellcode
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7DD6847130F33C6A14B7D9CF9705A144

SHA1:

BD51AA51059389F2A3D63B125F49BD61B1ADADEE

SHA256:

1005E74C7676F8D0C11AC2E7C4A22C2E7B5E1311762F39CDD0AE09E546D08FA2

SSDEEP:

49152:D5WWxYl94WS5iUsA4ynzibE74HZt8t/FyinIYAQihdgURYepan9u+eGSOMamdNxO:D5/s94f/741blt8tTnYM9pNBAdtoc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RHADAMANTHYS mutex has been found

      • svchost.exe (PID: 6516)
      • AddInProcess32.exe (PID: 3900)

    • LUMMA has been detected (SURICATA)

      • AddInProcess32.exe (PID: 5244)
      • svchost.exe (PID: 2196)

    • Actions looks like stealing of personal data

      • AddInProcess32.exe (PID: 5244)

    • LUMMA mutex has been found

      • AddInProcess32.exe (PID: 5244)

    • Steals credentials from Web Browsers

      • AddInProcess32.exe (PID: 5244)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • RHADAMANTHYS has been detected (YARA)

      • svchost.exe (PID: 6516)

  • SUSPICIOUS

    • Application launched itself

      • AddInProcess32.exe (PID: 1532)

    • Executes application which crashes

      • AddInProcess32.exe (PID: 3900)

    • Contacting a server suspected of hosting an CnC

      • AddInProcess32.exe (PID: 5244)
      • svchost.exe (PID: 2196)

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 6516)

    • Connects to unusual port

      • svchost.exe (PID: 6516)

    • Searches for installed software

      • AddInProcess32.exe (PID: 5244)

  • INFO

    • The sample compiled with chinese language support

      • 1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe (PID: 6744)

    • Checks supported languages

      • 1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe (PID: 6744)
      • AddInProcess32.exe (PID: 1532)
      • AddInProcess32.exe (PID: 3900)
      • AddInProcess32.exe (PID: 5244)

    • Reads the machine GUID from the registry

      • 1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe (PID: 6744)
      • AddInProcess32.exe (PID: 1532)
      • AddInProcess32.exe (PID: 5244)

    • Reads the computer name

      • 1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe (PID: 6744)
      • AddInProcess32.exe (PID: 1532)
      • AddInProcess32.exe (PID: 5244)

    • Manual execution by a user

      • svchost.exe (PID: 6516)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 5244)
      • slui.exe (PID: 6132)

    • Checks proxy server information

      • slui.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (55.8)
.exe | Win64 Executable (generic) (21)
.scr | Windows screen saver (9.9)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:28 19:53:58+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 80
CodeSize: 1843712
InitializedDataSize: 9728
UninitializedDataSize: -
EntryPoint: 0x1c417e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.3.5.0
ProductVersionNumber: 8.3.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: toolgeeker Tech Development Co., Ltd
FileDescription: FileRescuer
FileVersion: 8, 3, 5, 0
InternalName: Data Recovery
LegalCopyright: Copyright (c)toolgeeker.ALL RIGHTS RESERVED.
OriginalFileName: FileRescuer
ProductName: FileRescuer
ProductVersion: 8, 3, 5, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs #RHADAMANTHYS addinprocess32.exe addinprocess32.exe no specs #LUMMA addinprocess32.exe slui.exe #RHADAMANTHYS svchost.exe werfault.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3900 -s 576C:\Windows\SysWOW64\WerFault.exeAddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1532"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2564"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3900"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
3221225477
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5244"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
AddInProcess32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6436"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6516"C:\Windows\System32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
6744"C:\Users\admin\Desktop\1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe" C:\Users\admin\Desktop\1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exeexplorer.exe
User:
admin
Company:
toolgeeker Tech Development Co., Ltd
Integrity Level:
MEDIUM
Description:
FileRescuer
Exit code:
0
Version:
8, 3, 5, 0
Modules
Images
c:\users\admin\desktop\1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
8 830
Read events
8 829
Write events
1
Delete events
0

Modification events

(PID) Process:(3900) AddInProcess32.exeKey:HKEY_CURRENT_USER\SOFTWARE\SibCode
Operation:writeName:sn3
Value:
936BFAED87C7763E2B925C42D0D43916FF6D51F82A5BCCB177607E10F7B3EED63BEF36B60AA81018BF3666EBDCC8D71B8A6ED6FC54017A529C1C8D6D25BDD1B7
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
31
DNS requests
11
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
188.114.96.3:443
https://advennture.top/GKsiio
unknown
binary
68 b
malicious
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
188.114.96.3:443
https://advennture.top/GKsiio
unknown
binary
33.3 Kb
malicious
POST
200
188.114.96.3:443
https://advennture.top/GKsiio
unknown
binary
68 b
malicious
POST
200
188.114.96.3:443
https://advennture.top/GKsiio
unknown
binary
68 b
malicious
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
188.114.97.3:443
https://advennture.top/GKsiio
unknown
pic
68 b
malicious
POST
200
188.114.97.3:443
https://advennture.top/GKsiio
unknown
binary
68 b
malicious
POST
200
188.114.97.3:443
https://advennture.top/GKsiio
unknown
binary
43 b
malicious
6652
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
6652
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6652
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3896
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5244
AddInProcess32.exe
188.114.97.3:443
advennture.top
CLOUDFLARENET
NL
malicious
6516
svchost.exe
176.65.144.168:5657
DE
malicious
6132
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
castmaxw.run
malicious
oreheatq.live
malicious
weldorae.digital
unknown
steelixr.live
malicious
advennture.top
  • 188.114.97.3
  • 188.114.96.3
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (castmaxw .run)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (weldorae .digital)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live)
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advennture .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (steelixr .live)
5244
AddInProcess32.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (advennture .top in TLS SNI)
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
5244
AddInProcess32.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (advennture .top in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1005e74c7676f8d0c11ac2e7c4a22c2e7b5e1311762f39cdd0ae09e546d08fa2