File name:	HMC.Hackus.Mail.Checker.2.3.exe
Full analysis:	https://app.any.run/tasks/bbd6cae8-cc26-476e-b601-3cc1286a414d
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 19, 2025, 09:14:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer miner winring0x64-sys vuln-driver xor-url upx generic xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 18 sections
MD5:	B334B90AF9FC435D044F834F0FFF5451
SHA1:	83D8ADF54C965171734540307675958AA8B7870C
SHA256:	88C78261FEA542CFB869617FB292BC0709204C8647119133F8900FE17BAF4C40
SSDEEP:	98304:VJggfFv8alBwUQSIdVKMDWfG6YqmXMmknFVd8lR0pJ9ahvEBLAPnDuIIYaS9SK0Y:D2jRX

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, Large address aware
PEType:	PE32+
LinkerVersion:	2.44
CodeSize:	120832
InitializedDataSize:	5473792
UninitializedDataSize:	3584
EntryPoint:	0x132b
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(2144) app_x32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1
(PID) Process:	(2692) appcertui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1

PID	Process	Filename		Type
7084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zo1wujkj.o4u.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3628	HMC.Hackus.Mail.Checker.2.3.exe	C:\ProgramData\app_x64.exe		executable
		MD5:E303DB63AEC0DA8D896AD65F558C29A5	SHA256:E32ED8EBC0416BAF56E4B055B8C1E67CB4734F3A51146E81EAFAEA5ED00298B8
4196	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lqzywarx.plr.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3628	HMC.Hackus.Mail.Checker.2.3.exe	C:\ProgramData\app_x32.exe		executable
		MD5:BAD1278DDD6619F99CCDDCF7BA01EF59	SHA256:C5C5E9F6FB91E12815B89ED49790D5B197E53BDAA5BAFF035E55D14E2AFD21DB
7084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxtbyhde.uyc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4196	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mf3np0jv.n4p.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2692	appcertui.exe	C:\Windows\Temp\cxpwkkyepetj.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
7084	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:15F6B3C6E8C47E4B01471E4A96DFE9D0	SHA256:7C49E6BA4A5D9E79D60869F5A2C68658F3D417C265EBEFD61816802379A20A3D
6236	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_4mk0c0jf.qtn.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_oqashvjq.k00.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7076	RUXIMICS.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7076	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.197.130.99:443	https://steamcommunity.com/profiles/76561199863199067	unknown	html	28.9 Kb	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1268	svchost.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7076	RUXIMICS.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7076	RUXIMICS.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	52.185.211.133 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
mcaumnb.shop	—	malicious
prvqhm.shop	—	malicious
daruubs.top	—	malicious
cidtfhh.shop	—	malicious
annwt.xyz	—	malicious
ungryo.shop	—	malicious

PID	Process	Class	Message
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prvqhm .shop)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mcaumnb .shop)
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rayrhs .top)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greqjfu .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (daruubs .top)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cidtfhh .shop)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop)

General Info

HMC.Hackus.Mail.Checker.2.3.exe

B334B90AF9FC435D044F834F0FFF5451

83D8ADF54C965171734540307675958AA8B7870C

88C78261FEA542CFB869617FB292BC0709204C8647119133F8900FE17BAF4C40

98304:VJggfFv8alBwUQSIdVKMDWfG6YqmXMmknFVd8lR0pJ9ahvEBLAPnDuIIYaS9SK0Y:D2jRX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Executing a file with an untrusted certificate

Changes Windows Defender settings

LUMMA has been detected (SURICATA)

Connects to the CnC server

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

MINER has been detected (SURICATA)

XMRIG has been detected (YARA)

XORed URL has been found (YARA)

Vulnerable driver has been detected

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Manipulates environment variables

Windows service management via SC.EXE

Script adds exclusion extension to Windows Defender

Starts SC.EXE for service management

Process uninstalls Windows update

Creates a new Windows service

Stops a currently running service

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

INFO

Reads the computer name

Checks supported languages

The sample compiled with english language support

Creates files in the program directory

Reads the machine GUID from the registry

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Process checks computer location settings

Reads the software policy settings

The sample compiled with japanese language support

Checks proxy server information

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules