File name:

546d4.exe

Full analysis: https://app.any.run/tasks/73f4b3b0-3ab6-4f76-9ed5-169bfa85a6b4
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 11:12:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:

176AA20EDF16BEB3189815E7A997582D

SHA1:

695E5A871803159C7A51947A6B315103C69DD66D

SHA256:

958D2D450BBA5B04CEF276D0742DD94616795AAF9EC4639289EAA475AB9A3398

SSDEEP:

24576:T7LgOeDhyz5ifJkMEHQlLzMA/A1dl2CzH:T7LgOeFydifrEHQlLzMwA1dl2Cz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • rundll32.exe (PID: 6028)

    • Actions looks like stealing of personal data

      • rundll32.exe (PID: 6028)

    • Steals credentials from Web Browsers

      • rundll32.exe (PID: 6028)

    • LUMMA mutex has been found

      • rundll32.exe (PID: 6028)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • rundll32.exe (PID: 6028)

    • Searches for installed software

      • rundll32.exe (PID: 6028)

  • INFO

    • Checks supported languages

      • 546d4.exe (PID: 4776)

    • The sample compiled with english language support

      • 546d4.exe (PID: 4776)

    • Reads the software policy settings

      • rundll32.exe (PID: 6028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6028) rundll32.exe
C2 (9)woodpeckersd.run/glsk
parakehjet.run/kewk
buzzarddf.live/ktnt
bearjk.live/benj
unicoriun.live/reoqi
biosphxere.digital/tqoa
fishgh.digital/tequ
geographys.run/eirq
tropiscbs.live/iuwxx
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (49.6)
.exe | DOS Executable Generic (49.5)
.vxd | VXD Driver (0.7)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:27 12:13:44+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 8
CodeSize: 311296
InitializedDataSize: 24576
UninitializedDataSize: -
EntryPoint: 0x1270
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: 546d4
FileVersion: 1.0.0.0
ProgramID: com.embarcadero.546d4
ProductName: 546d4
ProductVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 546d4.exe no specs #LUMMA rundll32.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4776"C:\Users\admin\AppData\Local\Temp\546d4.exe" C:\Users\admin\AppData\Local\Temp\546d4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
546d4
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\546d4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6028"C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe
546d4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Lumma
(PID) Process(6028) rundll32.exe
C2 (9)woodpeckersd.run/glsk
parakehjet.run/kewk
buzzarddf.live/ktnt
bearjk.live/benj
unicoriun.live/reoqi
biosphxere.digital/tqoa
fishgh.digital/tequ
geographys.run/eirq
tropiscbs.live/iuwxx
6244C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
3 614
Read events
3 614
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
50
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
104.21.48.1:443
https://unicoriun.live/reoqi
unknown
binary
70 b
unknown
POST
400
40.126.32.76:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.160.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
104.21.112.1:443
https://unicoriun.live/reoqi
unknown
binary
70 b
unknown
5304
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
104.21.16.1:443
https://unicoriun.live/reoqi
unknown
binary
32.7 Kb
unknown
POST
200
104.21.32.1:443
https://unicoriun.live/reoqi
unknown
binary
70 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6028
rundll32.exe
104.21.80.1:443
unicoriun.live
CLOUDFLARENET
unknown
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5304
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
unicoriun.live
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.112.1
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.129
  • 20.190.159.75
  • 20.190.159.71
  • 40.126.31.3
  • 40.126.31.129
  • 40.126.31.67
  • 20.190.159.23
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
546d4.exe