File name:

259d125d_.exe

Full analysis: https://app.any.run/tasks/e090066b-a12e-460a-92ad-cb0c65a426d3
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: July 25, 2025, 16:15:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

13E6E0EF2BBE96D886D6A68556F074A5

SHA1:

2937511F697F3C2CE211EF2BEEBC9302CF343284

SHA256:

95EDD21F602EF04998365B1F30B6A059EC8769BA43DB67DE7EFAB1004921E60C

SSDEEP:

98304:RhTRkeHTcfqGsvrC4LlGyXU239YDQ4JXy5etigve:L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Steals credentials from Web Browsers

      • Used.com (PID: 4884)
    • Actions looks like stealing of personal data

      • Used.com (PID: 4884)
    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2200)
    • LUMMA mutex has been found

      • Used.com (PID: 4884)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 259d125d_.exe (PID: 5436)
    • Get information on the list of running processes

      • cmd.exe (PID: 1100)
    • Executable content was dropped or overwritten

      • 259d125d_.exe (PID: 5436)
    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1100)
    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1100)
    • There is functionality for taking screenshot (YARA)

      • Used.com (PID: 4884)
    • Searches for installed software

      • Used.com (PID: 4884)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1100)
    • Executing commands from ".cmd" file

      • 259d125d_.exe (PID: 5436)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1100)
    • The executable file from the user directory is run by the CMD process

      • Used.com (PID: 4884)
  • INFO

    • Checks supported languages

      • 259d125d_.exe (PID: 5436)
      • Used.com (PID: 4884)
      • extrac32.exe (PID: 1128)
    • Reads the computer name

      • extrac32.exe (PID: 1128)
      • Used.com (PID: 4884)
    • Reads mouse settings

      • Used.com (PID: 4884)
    • Reads the software policy settings

      • Used.com (PID: 4884)
      • slui.exe (PID: 2628)
    • Reads the machine GUID from the registry

      • Used.com (PID: 4884)
    • Create files in a temporary directory

      • 259d125d_.exe (PID: 5436)
      • extrac32.exe (PID: 1128)
    • Application launched itself

      • msedge.exe (PID: 2120)
      • msedge.exe (PID: 3620)
      • msedge.exe (PID: 1964)
      • msedge.exe (PID: 4476)
      • msedge.exe (PID: 6340)
      • chrome.exe (PID: 1156)
      • chrome.exe (PID: 5968)
      • chrome.exe (PID: 3888)
      • chrome.exe (PID: 3704)
      • msedge.exe (PID: 2312)
    • Checks proxy server information

      • slui.exe (PID: 2628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:49+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29184
InitializedDataSize: 4168192
UninitializedDataSize: 16896
EntryPoint: 0x39e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
210
Monitored processes
75
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 259d125d_.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs #LUMMA used.com ping.exe no specs #LUMMA svchost.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,29907534020767984,3601614119133683,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3216 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2388,i,12767540365272202276,7119999043896369592,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,1662341982144191660,5241718711311071500,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3180 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1100C:\WINDOWS\system32\cmd.exe /k move After.eml After.eml.cmd & After.eml.cmd & exitC:\Windows\SysWOW64\cmd.exe259d125d_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1128extrac32 /Y Ed.eml *.*C:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc4502fff8,0x7ffc45030004,0x7ffc45030010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1156"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
Used.com
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1180"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,1662341982144191660,5241718711311071500,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3216 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1332"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=2408,i,6475118484131768999,2363706661295127037,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
24 169
Read events
24 124
Write events
45
Delete events
0

Modification events

(PID) Process:(5968) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5968) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5968) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5968) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5968) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1156) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1156) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1156) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1156) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(1156) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
1
Suspicious files
92
Text files
173
Unknown types
18

Dropped files

PID
Process
Filename
Type
5436259d125d_.exeC:\Users\admin\AppData\Local\Temp\After.emltext
MD5:F7310C5271E9497FD0185FCF5B8583D0
SHA256:14C0C7B6774D4D6B16CB8DB92C3E8CDBE83097A0E98B48FF6261F509CC555FB1
5436259d125d_.exeC:\Users\admin\AppData\Local\Temp\Painful.emlbinary
MD5:57F91CDB4F08385DFC89265032DF5697
SHA256:9BE69B4F8E30DF8E60BCCCE2C65508193C17B5CD3E4BC4583E2F384C0D595A97
5436259d125d_.exeC:\Users\admin\AppData\Local\Temp\Reveal.emlbinary
MD5:C57D3B20C3DB04EC019388864665D7E1
SHA256:9CF035791EB92C4E5C369F2F99FAEE247229ACAD558926E7AA75AC1DDDD1464D
5436259d125d_.exeC:\Users\admin\AppData\Local\Temp\Ed.emlbinary
MD5:1EC2B5E70F42E139B383EAEDDA3A2BD0
SHA256:BCA8A6587BF8ABCFAF8EBD3FC6580967259239F3E6E59C74E878817242CDBCA8
1128extrac32.exeC:\Users\admin\AppData\Local\Temp\Strandbinary
MD5:E2B2C5F833A33A7843C13BCD8584E68C
SHA256:AB60A34333EA2D2E661917FB8D54FC7D1EA27E8D4A40599FCE62BCF751993FA5
1128extrac32.exeC:\Users\admin\AppData\Local\Temp\Corpsbinary
MD5:E46276B6D3CFCC50CE69398626743CFE
SHA256:68CE598C6650B25F230161E818ED616956EDC44EE7413A6AF2EDFDA3E0D802AB
1128extrac32.exeC:\Users\admin\AppData\Local\Temp\Abilitybinary
MD5:FCE3C7FE0CE85D0761C87915D4257298
SHA256:5470491718F430FEF05B6CEEC1234F0724879343C210E3A4A5EBE3FDC81E552C
1128extrac32.exeC:\Users\admin\AppData\Local\Temp\Distributedbinary
MD5:6679E7267CB7FE6FB7CC572C836EAEE4
SHA256:B0EC8A8442208EA90751D3550B92D3FAC103F82D1FA2706C3F68BB6C4601C229
5436259d125d_.exeC:\Users\admin\AppData\Local\Temp\Saint.emlbinary
MD5:01D135B6140551D46AE5EA979450FBAC
SHA256:5F793CF412FCB52EE444AEBDB937AEF4AF89373C5F4476E5E29D97532BFE15D8
1128extrac32.exeC:\Users\admin\AppData\Local\Temp\Isaacbinary
MD5:C36AA2D3F852F2FDEC1E3F97BEC8DA8F
SHA256:5A010B23C001B8112E4D197143198725AA5B73BF0DBD592C68783B44C66E5FE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
107
TCP/UDP connections
138
DNS requests
112
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
1268
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3160
RUXIMICS.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3160
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3160
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3160
RUXIMICS.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.22
  • 23.216.77.33
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.26
  • 23.216.77.31
  • 23.216.77.27
  • 23.216.77.29
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.67
  • 20.190.160.128
  • 40.126.32.74
  • 20.190.160.2
  • 20.190.160.132
  • 40.126.32.72
  • 40.126.32.136
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
WcBelJxkAZRXhfy.WcBelJxkAZRXhfy
unknown
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
sponfht.com
  • 167.160.161.12
unknown
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Lumma DNS Activity observed
4884
Used.com
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
No debug info