URL:

https://ryos.ws/

Full analysis: https://app.any.run/tasks/3fe722f9-4208-425e-bd02-c838af79e4aa
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: November 09, 2024, 12:41:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qrcode
lumma
stealer
Indicators:
MD5:

E1F785CAB115791086085EB18F946856

SHA1:

1E8599A821B5C898A9EE2469DE43B178921C0C57

SHA256:

E988C1DBDFAA059070BEDAEF1D89BC16870115E90A4B3FFCC3D3086C198990A3

SSDEEP:

3:N8YmWK:2Yc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2172)
      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

    • Connects to the CnC server

      • svchost.exe (PID: 2172)

    • Stealers network behavior

      • Deeply.pif (PID: 1396)

    • Actions looks like stealing of personal data

      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)

    • Get information on the list of running processes

      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 7604)

    • Executing commands from a ".bat" file

      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)

    • Starts CMD.EXE for commands execution

      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 7604)

    • Application launched itself

      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 7604)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 7604)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 7452)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 7604)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3728)

    • The executable file from the user directory is run by the CMD process

      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 3728)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2172)
      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

  • INFO

    • Reads Environment values

      • identity_helper.exe (PID: 7952)

    • Checks supported languages

      • identity_helper.exe (PID: 7952)
      • Xeno.exe (PID: 2416)
      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)
      • Xeno.exe (PID: 4508)

    • Reads the computer name

      • identity_helper.exe (PID: 7952)
      • Xeno.exe (PID: 2416)
      • Deeply.pif (PID: 7324)
      • Xeno.exe (PID: 4508)
      • Deeply.pif (PID: 1396)

    • The process uses the downloaded file

      • msedge.exe (PID: 7660)
      • WinRAR.exe (PID: 7676)
      • msedge.exe (PID: 6404)
      • WinRAR.exe (PID: 2808)
      • WinRAR.exe (PID: 7452)
      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6404)

    • Reads the software policy settings

      • slui.exe (PID: 5160)
      • slui.exe (PID: 7960)
      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

    • Manual execution by a user

      • WinRAR.exe (PID: 2808)
      • WinRAR.exe (PID: 7452)
      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7756)
      • WinRAR.exe (PID: 7452)

    • Application launched itself

      • msedge.exe (PID: 6404)

    • Checks proxy server information

      • slui.exe (PID: 7960)

    • Process checks computer location settings

      • Xeno.exe (PID: 2416)
      • Xeno.exe (PID: 4508)

    • Reads mouse settings

      • Deeply.pif (PID: 7324)
      • Deeply.pif (PID: 1396)

    • Create files in a temporary directory

      • Xeno.exe (PID: 4508)
      • Xeno.exe (PID: 2416)

    • Creates a new folder

      • cmd.exe (PID: 6944)
      • cmd.exe (PID: 6960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
231
Monitored processes
90
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe rundll32.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs xeno.exe no specs msedge.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA deeply.pif choice.exe no specs msedge.exe no specs xeno.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA deeply.pif choice.exe no specs #LUMMA svchost.exe msedge.exe no specs msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
1176"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=2272,i,6629510491691937352,16238213755189007200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1396Deeply.pif I C:\Users\admin\AppData\Local\Temp\523425\Deeply.pif
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
HIGH
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 3
Modules
Images
c:\users\admin\appdata\local\temp\523425\deeply.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1732"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7348 --field-trial-handle=2272,i,6629510491691937352,16238213755189007200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2068choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2416"C:\Users\admin\Downloads\Update-Xеnо_v1.0.9-Release_x64\Release\Release\Xeno.exe" C:\Users\admin\Downloads\Update-Xеnо_v1.0.9-Release_x64\Release\Release\Xeno.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\update-xеnо_v1.0.9-release_x64\release\release\xeno.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2660"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7488 --field-trial-handle=2272,i,6629510491691937352,16238213755189007200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2808"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\Update-Xеnо_v1.0.9-Release_x64.zip" C:\Users\admin\Downloads\Update-Xеnо_v1.0.9-Release_x64\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3728"C:\Windows\System32\cmd.exe" /c copy Differently Differently.bat & Differently.batC:\Windows\SysWOW64\cmd.exe
Xeno.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2272,i,6629510491691937352,16238213755189007200,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 532
Read events
11 488
Write events
44
Delete events
0

Modification events

(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6404) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
F9CB1C7A10852F00
(PID) Process:(6404) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
91F5237A10852F00
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262794
Operation:writeName:WindowTabManagerFileMappingId
Value:
{635B17BE-7932-48A8-9F19-12B25A67C260}
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262794
Operation:writeName:WindowTabManagerFileMappingId
Value:
{9D5DFBAB-0C38-4DC4-BB31-B4ED40F8196C}
(PID) Process:(6404) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B569567A10852F00
(PID) Process:(6404) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
19
Suspicious files
645
Text files
114
Unknown types
0

Dropped files

PID
Process
Filename
Type
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF8b89a.TMP
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF8b8ba.TMP
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF8b8c9.TMP
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF8b8c9.TMP
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF8b8c9.TMP
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
113
DNS requests
102
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
632
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7976
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7976
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
8052
svchost.exe
HEAD
200
2.19.126.157:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1731617108&P2=404&P3=2&P4=mDj0I69r5WUv7zMIh6Jxk6KfTOAAifJCKgsHcfcYk6YaIjOasaAzLcwMmiFX0gzrP3LCviZDouMWTaJRBDoqyQ%3d%3d
unknown
whitelisted
8052
svchost.exe
GET
206
2.19.126.157:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1731617108&P2=404&P3=2&P4=mDj0I69r5WUv7zMIh6Jxk6KfTOAAifJCKgsHcfcYk6YaIjOasaAzLcwMmiFX0gzrP3LCviZDouMWTaJRBDoqyQ%3d%3d
unknown
whitelisted
8052
svchost.exe
GET
206
2.19.126.157:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1731617108&P2=404&P3=2&P4=mDj0I69r5WUv7zMIh6Jxk6KfTOAAifJCKgsHcfcYk6YaIjOasaAzLcwMmiFX0gzrP3LCviZDouMWTaJRBDoqyQ%3d%3d
unknown
whitelisted
8052
svchost.exe
GET
206
2.19.126.157:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1731617108&P2=404&P3=2&P4=mDj0I69r5WUv7zMIh6Jxk6KfTOAAifJCKgsHcfcYk6YaIjOasaAzLcwMmiFX0gzrP3LCviZDouMWTaJRBDoqyQ%3d%3d
unknown
whitelisted
8052
svchost.exe
GET
206
2.19.126.157:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/c08f1970-45bc-4dbe-8166-4ecef7a1f617?P1=1731617108&P2=404&P3=2&P4=mDj0I69r5WUv7zMIh6Jxk6KfTOAAifJCKgsHcfcYk6YaIjOasaAzLcwMmiFX0gzrP3LCviZDouMWTaJRBDoqyQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4584
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6404
msedge.exe
239.255.255.250:1900
whitelisted
6436
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6436
msedge.exe
142.250.186.131:443
fonts.gstatic.com
whitelisted
6436
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6436
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
ryos.ws
  • 185.212.130.67
unknown
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 23.50.131.30
  • 23.50.131.21
whitelisted
www.bing.com
  • 92.123.104.33
  • 92.123.104.59
  • 92.123.104.44
  • 92.123.104.34
  • 92.123.104.28
  • 92.123.104.31
  • 92.123.104.62
  • 92.123.104.32
  • 92.123.104.60
  • 92.123.104.52
  • 92.123.104.40
  • 92.123.104.63
  • 92.123.104.64
  • 92.123.104.7
  • 2.23.209.176
  • 2.23.209.149
  • 2.23.209.181
  • 2.23.209.161
  • 2.23.209.160
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.175
  • 2.23.209.156
  • 2.23.209.154
  • 2.23.209.141
  • 2.23.209.144
whitelisted
cdn.jsdelivr.net
  • 151.101.193.229
  • 151.101.1.229
  • 151.101.129.229
  • 151.101.65.229
whitelisted

Threats

PID
Process
Class
Message
6436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6436
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6436
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
6436
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
6436
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
6436
msedge.exe
Potentially Bad Traffic
ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
4360
SearchApp.exe
Not Suspicious Traffic
INFO [ANY.RUN] Azure Front Door domain observed in TLS SNI ( .azurefd .net)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou)
7324
Deeply.pif
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)
7324
Deeply.pif
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://ryos.ws/