URL:

https://anaamw.com/p3.php

Full analysis: https://app.any.run/tasks/c150773b-ecfa-4b51-a11b-1fcc5af3a78d
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 00:07:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
obfuscated-js
auto
lumma
stealer
Indicators:
MD5:

B517885149E3BABC154D67987D2C0665

SHA1:

49045C06814E30956BADE460ADCD09BD18712754

SHA256:

ECAE29F6740ADD7C22CDFA88B289DDA51FFC2021E8530E2579D3C4EA6D8AAC60

SSDEEP:

3:N8COLVH:2lLVH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • mshta.exe (PID: 5952)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7724)

    • Executing a file with an untrusted certificate

      • Captcha.exe (PID: 1072)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)

    • STEALER has been found (auto)

      • powershell.exe (PID: 7724)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • LUMMA mutex has been found

      • cvtres.exe (PID: 5576)

    • Actions looks like stealing of personal data

      • cvtres.exe (PID: 5576)

    • Steals credentials from Web Browsers

      • cvtres.exe (PID: 5576)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 2616)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7724)

    • Starts process via Powershell

      • powershell.exe (PID: 7724)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 5952)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 5952)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7724)
      • cvtres.exe (PID: 5576)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)

    • Searches for installed software

      • cvtres.exe (PID: 5576)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 6272)
      • ShellExperienceHost.exe (PID: 2616)
      • Captcha.exe (PID: 1072)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)
      • cvtres.exe (PID: 5576)
      • tcpvcon.exe (PID: 1328)
      • MSBuild.exe (PID: 3828)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 7924)
      • BackgroundTransferHost.exe (PID: 5984)
      • BackgroundTransferHost.exe (PID: 4424)
      • BackgroundTransferHost.exe (PID: 6800)
      • BackgroundTransferHost.exe (PID: 3268)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 5984)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 5984)
      • slui.exe (PID: 300)
      • mshta.exe (PID: 5952)
      • powershell.exe (PID: 7724)

    • Reads Environment values

      • identity_helper.exe (PID: 6272)

    • Reads the computer name

      • identity_helper.exe (PID: 6272)
      • ShellExperienceHost.exe (PID: 2616)
      • cvtres.exe (PID: 5576)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)
      • Captcha.exe (PID: 1072)
      • MSBuild.exe (PID: 3828)
      • tcpvcon.exe (PID: 1328)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 5984)
      • slui.exe (PID: 1116)
      • slui.exe (PID: 300)
      • cvtres.exe (PID: 5576)

    • Manual execution by a user

      • cmd.exe (PID: 8052)
      • cvtres.exe (PID: 5576)

    • The sample compiled with english language support

      • msedge.exe (PID: 4400)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 4400)

    • Application launched itself

      • msedge.exe (PID: 2140)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5952)

    • Disables trace logs

      • powershell.exe (PID: 7724)

    • Creates files in the program directory

      • powershell.exe (PID: 7724)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)

    • Reads the machine GUID from the registry

      • Captcha.exe (PID: 1072)
      • MSBuild.exe (PID: 3828)

    • Create files in a temporary directory

      • cvtres.exe (PID: 5576)
      • XUJSKTHPKJAVN3Y44RJAXI.exe (PID: 2552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
67
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs shellexperiencehost.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs mshta.exe #STEALER powershell.exe conhost.exe no specs msedge.exe no specs captcha.exe no specs #LUMMA cvtres.exe #LUMMA svchost.exe msedge.exe no specs msedge.exe no specs xujskthpkjavn3y44rjaxi.exe msbuild.exe no specs tcpvcon.exe no specs conhost.exe no specs svchost.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
864"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6740 --field-trial-handle=2324,i,13703033852906961433,13520228537345399544,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072"C:\ProgramData\Captcha.exe" C:\ProgramData\Captcha.exepowershell.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect UI Watcher
Exit code:
4294967295
Version:
8, 1, 8325, 0
Modules
Images
c:\programdata\captcha.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\ucrtbase.dll
1116"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1328"C:\ProgramData\Fortect\tcpvcon.exe" "C:\ProgramData\Fortect\tcpvcon.exe" /accepteulaC:\ProgramData\Fortect\tcpvcon.exeXUJSKTHPKJAVN3Y44RJAXI.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Sysinternals TcpVcon
Exit code:
0
Version:
4.18
Modules
Images
c:\programdata\fortect\tcpvcon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6996 --field-trial-handle=2324,i,13703033852906961433,13520228537345399544,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6420 --field-trial-handle=2324,i,13703033852906961433,13520228537345399544,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
1748"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5220 --field-trial-handle=2324,i,13703033852906961433,13520228537345399544,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2084"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1468 --field-trial-handle=2324,i,13703033852906961433,13520228537345399544,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2104"C:\WINDOWS\system32\svchost.exe"C:\Windows\SysWOW64\svchost.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
16 977
Read events
16 943
Write events
34
Delete events
0

Modification events

(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(2140) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
71C5BEC8B58F2F00
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262786
Operation:writeName:WindowTabManagerFileMappingId
Value:
{D9AA9E01-8020-4AAC-AAAE-D255DFB4DBC2}
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262786
Operation:writeName:WindowTabManagerFileMappingId
Value:
{A9AB354A-E7C9-4C13-8A04-5F603650775D}
(PID) Process:(2140) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
B936CAC8B58F2F00
(PID) Process:(2140) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
3F1C2AC9B58F2F00
(PID) Process:(2140) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
Executable files
13
Suspicious files
212
Text files
53
Unknown types
1

Dropped files

PID
Process
Filename
Type
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10b2c7.TMP
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10b2d7.TMP
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10b2e7.TMP
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10b2e7.TMP
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10b392.TMP
MD5:
SHA256:
2140msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
78
DNS requests
92
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5984
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1676
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2240
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2240
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2852
svchost.exe
HEAD
200
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1743380884&P2=404&P3=2&P4=E4WeEwn380ddFf2jmcqAZT0lus6gelnMkjWHGhXs1rQyQQ5tD4Uei5rSUWDym2Fs7y5Ta3VsnIsO5QjXhPyO9Q%3d%3d
unknown
whitelisted
2852
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1743380884&P2=404&P3=2&P4=E4WeEwn380ddFf2jmcqAZT0lus6gelnMkjWHGhXs1rQyQQ5tD4Uei5rSUWDym2Fs7y5Ta3VsnIsO5QjXhPyO9Q%3d%3d
unknown
whitelisted
4224
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2852
svchost.exe
GET
206
199.232.214.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1743380884&P2=404&P3=2&P4=E4WeEwn380ddFf2jmcqAZT0lus6gelnMkjWHGhXs1rQyQQ5tD4Uei5rSUWDym2Fs7y5Ta3VsnIsO5QjXhPyO9Q%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2140
msedge.exe
239.255.255.250:1900
whitelisted
7412
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7412
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7412
msedge.exe
13.107.253.72:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7412
msedge.exe
13.107.6.158:443
business.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7412
msedge.exe
2.16.168.219:443
bzib.nelreports.net
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.120
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.72
whitelisted
anaamw.com
  • 66.96.147.114
unknown
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.16.168.219
  • 2.16.168.201
whitelisted
www.bing.com
  • 95.101.20.186
  • 95.101.20.210
  • 95.101.20.155
  • 95.101.20.179
  • 95.101.20.184
  • 95.101.20.211
  • 95.101.20.154
  • 95.101.20.200
  • 95.101.20.209
  • 95.101.20.176
  • 95.101.20.192
  • 95.101.20.177
  • 95.101.20.193
  • 95.101.20.178
  • 95.101.20.171
  • 2.23.227.208
  • 2.23.227.215
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2196
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (mrodularmall .top)
2196
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (jowinjoinery .icu)
2196
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (legenassedk .top)
2196
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (bugildbett .top)
2196
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (htardwarehu .icu)
5576
cvtres.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
5576
cvtres.exe
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
5576
cvtres.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 4
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://anaamw.com/p3.php