File name:

SoftWare.exe

Full analysis: https://app.any.run/tasks/b69277df-c4b2-42a5-8275-e9433b698d83
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: June 05, 2025, 00:08:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

1C61AED84202A938E5EEFEAAACE16937

SHA1:

08FB1BBFD00C42593053786D8111D2D3686B923E

SHA256:

39ED1D8513E81C05783A95FE6016F823DCD2756FB74C182F3B0C5EC1ED84F35F

SSDEEP:

49152:Ick3gkxTL8XvA3LOEmTNslgTRiS97HnaoPDWTnlCeY8EuiiA0LFBQEVLKnr+l:O3gkxP8XvKmTNslgTAl9Yb5jLE1KnrG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 4180)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 4180)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 4180)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 4180)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 4180)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 4180)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 4180)

    • Searches for installed software

      • MSBuild.exe (PID: 4180)

  • INFO

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 4180)

    • Reads the computer name

      • MSBuild.exe (PID: 4180)

    • Checks supported languages

      • SoftWare.exe (PID: 2104)
      • MSBuild.exe (PID: 4180)

    • Reads the software policy settings

      • MSBuild.exe (PID: 4180)
      • slui.exe (PID: 7888)

    • Checks proxy server information

      • slui.exe (PID: 7888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(4180) MSBuild.exe
C2 (9)narrathfpt.top/tekq
escczlv.top/bufi
witchdbhy.run/pzal
citellcagt.top/gjtu
korxddl.top/qidz
battlefled.top/gaoi
localixbiw.top/zlpa
diecam.top/laur
tinklertjp.bet/nzaf
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:03 18:47:55+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 770560
InitializedDataSize: 101888
UninitializedDataSize: -
EntryPoint: 0x9e238
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start software.exe no specs #LUMMA msbuild.exe conhost.exe no specs #LUMMA svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2104"C:\Users\admin\Desktop\SoftWare.exe" C:\Users\admin\Desktop\SoftWare.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\software.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSoftWare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4180"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
SoftWare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(4180) MSBuild.exe
C2 (9)narrathfpt.top/tekq
escczlv.top/bufi
witchdbhy.run/pzal
citellcagt.top/gjtu
korxddl.top/qidz
battlefled.top/gaoi
localixbiw.top/zlpa
diecam.top/laur
tinklertjp.bet/nzaf
7888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 813
Read events
6 813
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
26
DNS requests
9
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7340
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
32.7 Kb
7340
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
67 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
67 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
67 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
67 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
67 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
10.7 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7340
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7340
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7340
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4180
MSBuild.exe
195.82.147.188:443
battlefled.top
Dreamtorrent Corp
RU
unknown
7256
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7888
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
battlefled.top
  • 195.82.147.188
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (battlefled .top)
4180
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
4180
MSBuild.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4180
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
4180
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
4180
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
4180
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SoftWare.exe