URL:

https://aerocheats.site

Full analysis: https://app.any.run/tasks/8739b69e-dd69-4bae-bc2b-3527228b6c3c
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 08, 2024, 11:17:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MD5:

11FF44C694C2D7B17B89D7A5B2F425B9

SHA1:

586BC59C2748796572B8A358EE0A590CDE7512F1

SHA256:

B7B054311ABE16C2C3EE97DB540DBBC248348ED128FCDDA54640A6614F56923A

SSDEEP:

3:N8rhRcmn:2dTn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • WinRAR.exe (PID: 7212)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

    • Actions looks like stealing of personal data

      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

    • Steals credentials from Web Browsers

      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 7212)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 7212)

    • Application launched itself

      • AERO.exe (PID: 8036)
      • AERO.exe (PID: 7488)
      • AERO.exe (PID: 1876)
      • AERO.exe (PID: 7792)
      • AERO.exe (PID: 1556)
      • AERO.exe (PID: 2736)
      • AERO.exe (PID: 6736)
      • AERO.exe (PID: 7260)
      • AERO.exe (PID: 1220)
      • AERO.exe (PID: 836)
      • AERO.exe (PID: 4724)
      • AERO.exe (PID: 1536)
      • AERO.exe (PID: 7648)
      • AERO.exe (PID: 7108)
      • AERO.exe (PID: 8176)
      • AERO.exe (PID: 8052)
      • AERO.exe (PID: 6944)
      • AERO.exe (PID: 7868)
      • AERO.exe (PID: 1864)
      • AERO.exe (PID: 1460)

    • Contacting a server suspected of hosting an CnC

      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • svchost.exe (PID: 2192)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

  • INFO

    • Reads the computer name

      • identity_helper.exe (PID: 3876)
      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

    • Reads Environment values

      • identity_helper.exe (PID: 3876)

    • The process uses the downloaded file

      • iexplore.exe (PID: 5720)
      • msedge.exe (PID: 6628)
      • msedge.exe (PID: 6200)
      • WinRAR.exe (PID: 7212)

    • Checks supported languages

      • identity_helper.exe (PID: 3876)
      • AERO.exe (PID: 8036)
      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 1876)
      • AERO.exe (PID: 7488)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 7792)
      • AERO.exe (PID: 1556)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 6736)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 2736)
      • AERO.exe (PID: 7260)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 1220)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 836)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 4724)
      • AERO.exe (PID: 1536)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 8176)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 7108)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7648)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 8052)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 6944)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 7868)
      • AERO.exe (PID: 1864)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 1460)
      • AERO.exe (PID: 8044)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6200)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7212)

    • Manual execution by a user

      • AERO.exe (PID: 8036)
      • AERO.exe (PID: 7488)
      • AERO.exe (PID: 1876)
      • AERO.exe (PID: 7792)
      • AERO.exe (PID: 1556)
      • AERO.exe (PID: 2736)
      • AERO.exe (PID: 6736)
      • AERO.exe (PID: 7260)
      • AERO.exe (PID: 1220)
      • AERO.exe (PID: 836)
      • AERO.exe (PID: 4724)
      • AERO.exe (PID: 1536)
      • AERO.exe (PID: 8176)
      • AERO.exe (PID: 7648)
      • AERO.exe (PID: 6944)
      • AERO.exe (PID: 7108)
      • AERO.exe (PID: 8052)
      • AERO.exe (PID: 7868)
      • AERO.exe (PID: 1460)
      • AERO.exe (PID: 1864)

    • Reads the software policy settings

      • AERO.exe (PID: 8112)
      • AERO.exe (PID: 5460)
      • AERO.exe (PID: 7660)
      • AERO.exe (PID: 7840)
      • AERO.exe (PID: 6936)
      • AERO.exe (PID: 8048)
      • AERO.exe (PID: 3984)
      • AERO.exe (PID: 8172)
      • AERO.exe (PID: 2152)
      • AERO.exe (PID: 648)
      • AERO.exe (PID: 4012)
      • AERO.exe (PID: 8184)
      • AERO.exe (PID: 7816)
      • AERO.exe (PID: 936)
      • AERO.exe (PID: 2800)
      • AERO.exe (PID: 7984)
      • AERO.exe (PID: 7668)
      • AERO.exe (PID: 8032)
      • AERO.exe (PID: 6152)
      • AERO.exe (PID: 8044)

    • Application launched itself

      • msedge.exe (PID: 6200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
249
Monitored processes
113
Malicious processes
43
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs aero.exe no specs conhost.exe no specs aero.exe no specs #LUMMA aero.exe #LUMMA svchost.exe msedge.exe msedge.exe no specs msedge.exe no specs aero.exe conhost.exe no specs #LUMMA aero.exe msedge.exe aero.exe conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs aero.exe no specs aero.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs aero.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs aero.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe conhost.exe no specs aero.exe no specs #LUMMA aero.exe msedge.exe no specs aero.exe conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe no specs conhost.exe no specs #LUMMA aero.exe aero.exe conhost.exe no specs #LUMMA aero.exe aero.exe conhost.exe no specs #LUMMA aero.exe msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6364 --field-trial-handle=2352,i,12520255602572625293,1393448026589187687,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4316 --field-trial-handle=2352,i,12520255602572625293,1393448026589187687,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3808 --field-trial-handle=2352,i,12520255602572625293,1393448026589187687,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"C:\Users\admin\Desktop\hax\AERO.exe"C:\Users\admin\Desktop\hax\AERO.exe
AERO.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\hax\aero.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
836"C:\Users\admin\Desktop\hax\AERO.exe" C:\Users\admin\Desktop\hax\AERO.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\hax\aero.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
936"C:\Users\admin\Desktop\hax\AERO.exe"C:\Users\admin\Desktop\hax\AERO.exe
AERO.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\hax\aero.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
1172"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4304 --field-trial-handle=2352,i,12520255602572625293,1393448026589187687,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1220"C:\Users\admin\Desktop\hax\AERO.exe" C:\Users\admin\Desktop\hax\AERO.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\hax\aero.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAERO.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\admin\Desktop\hax\AERO.exe" C:\Users\admin\Desktop\hax\AERO.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\hax\aero.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
18 476
Read events
18 443
Write events
33
Delete events
0

Modification events

(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(5720) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(6200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6200) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
7
Suspicious files
247
Text files
59
Unknown types
1

Dropped files

PID
Process
Filename
Type
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135046.TMP
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135046.TMP
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF135056.TMP
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF135075.TMP
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135084.TMP
MD5:
SHA256:
6200msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
181
DNS requests
68
Threats
121

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
932
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1733665043&P2=404&P3=2&P4=CnERmGW7weuUikKw9%2fxcsB6GRw%2bvb%2f0acTfk2JjFANJSqJzNTaLLWwbQDScpnBY%2bPn50MS1zycVVX0KRI46zaw%3d%3d
unknown
whitelisted
932
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1733665043&P2=404&P3=2&P4=CnERmGW7weuUikKw9%2fxcsB6GRw%2bvb%2f0acTfk2JjFANJSqJzNTaLLWwbQDScpnBY%2bPn50MS1zycVVX0KRI46zaw%3d%3d
unknown
whitelisted
932
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1733665043&P2=404&P3=2&P4=CnERmGW7weuUikKw9%2fxcsB6GRw%2bvb%2f0acTfk2JjFANJSqJzNTaLLWwbQDScpnBY%2bPn50MS1zycVVX0KRI46zaw%3d%3d
unknown
whitelisted
7632
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7632
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5160
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6452
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6200
msedge.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6452
msedge.exe
31.31.196.16:443
aerocheats.site
Domain names registrar REG.RU, Ltd
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.18
  • 2.16.164.49
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.218.209.163
whitelisted
google.com
  • 172.217.16.206
whitelisted
aerocheats.site
  • 31.31.196.16
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.22.242.105
  • 2.22.242.11
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
8112
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
5460
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
5460
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
7660
AERO.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://aerocheats.site