File name:

Setup.exe

Full analysis: https://app.any.run/tasks/69abf821-9a30-4437-a330-625a4e3ca4b7
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 10:57:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E28AB1071050F6EE9A257587B6B244DE

SHA1:

6BAE00F5F74FF236E4D742A3D3006AAE9A731E04

SHA256:

00A1BBA91463D839DD39FF68CF8827B35D4A84AEFF36759B75D2BA511B93D107

SSDEEP:

49152:GDG72pDXggx+EOUqizOXwWA+NH2Ze/Us6jI487rOrnFZOhq2vpHQRhRfYot5pCue:OpDgg8YYwWA2Hqe//6jIT7rCnEqoarnG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Procurement.com (PID: 7512)

    • Steals credentials from Web Browsers

      • Procurement.com (PID: 7512)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • LUMMA mutex has been found

      • Procurement.com (PID: 7512)

    • Actions looks like stealing of personal data

      • Procurement.com (PID: 7512)

    • Executing a file with an untrusted certificate

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)
      • NLSvc.exe (PID: 8112)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7816)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Setup.exe (PID: 7552)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 7552)

    • Get information on the list of running processes

      • cmd.exe (PID: 7608)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 7552)
      • cmd.exe (PID: 7608)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7608)

    • Application launched itself

      • cmd.exe (PID: 7608)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7608)

    • The executable file from the user directory is run by the CMD process

      • Procurement.com (PID: 7512)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7608)

    • There is functionality for taking screenshot (YARA)

      • Setup.exe (PID: 7552)
      • Procurement.com (PID: 7512)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)

    • Searches for installed software

      • Procurement.com (PID: 7512)

    • Executable content was dropped or overwritten

      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Adds/modifies Windows certificates

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7848)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Connects to unusual port

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Executes application which crashes

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

  • INFO

    • Create files in a temporary directory

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)

    • Reads the computer name

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Checks supported languages

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)
      • NLSvc.exe (PID: 8112)

    • Process checks computer location settings

      • Setup.exe (PID: 7552)

    • Creates a new folder

      • cmd.exe (PID: 7364)

    • Reads mouse settings

      • Procurement.com (PID: 7512)

    • Reads the software policy settings

      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)
      • slui.exe (PID: 7732)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 7816)

    • Reads the machine GUID from the registry

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Compiled with Borland Delphi (YARA)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Creates files in the program directory

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Manual execution by a user

      • NLSvc.exe (PID: 8112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
30
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start setup.exe no specs cmd.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA procurement.com choice.exe no specs kbflahe44v66oivu4vntv.exe slui.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs reg.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs nlsvc.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\Temp\KBFLAHE44V66OIVU4VNTV.exe"C:\Users\admin\AppData\Local\Temp\KBFLAHE44V66OIVU4VNTV.exe
Procurement.com
User:
admin
Integrity Level:
MEDIUM
Version:
5.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\kbflahe44v66oivu4vntv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2096choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6264cmd /c copy /b ..\Times.mil + ..\Chubby.mil + ..\Traditions.mil + ..\Reviewer.mil + ..\Domestic.mil + ..\Crude.mil + ..\Jokes.mil + ..\Ear.mil E C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6480extrac32 /Y /E Holly.milC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7084C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7196C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 552C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7240C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 580C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7256C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 552C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7364cmd /c md 469997C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 055
Read events
8 034
Write events
9
Delete events
12

Modification events

(PID) Process:(7816) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:NLSvc
Value:
C:\ProgramData\NLSvc.exe
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:47BEABC922EAE80E78783462A79F45C254FDE68B
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:writeName:Blob
Value:
040000000100000010000000803ABC22C1E6FB8D9B3B274A321B9A011400000001000000140000003A9A8507106728B6EFF6BD05416E20C194DA0FDE53000000010000002500000030233021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000003560E45B41E46B8F36537025D1D5BC02D9652A10645B0EFF69E8B6A52191F33503000000010000001400000047BEABC922EAE80E78783462A79F45C254FDE68B19000000010000001000000021D008B47B7A2A81C8435903DED424C90B000000010000005200000047006F00200044006100640064007900200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020001320200047003200000062000000010000002000000045140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA1D000000010000001000000070253FBCBDE32A014D38C1993098AD992000000001000000C9030000308203C5308202ADA003020102020100300D06092A864886F70D01010B0500308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BF716208F1FA5934F71BC918A3F7804958E9228313A6C52043013B84F1E685499F27EAF6841B4EA0B4DB7098C73201B1053E074EEEF4FA4F2F593022E7AB19566BE28007FCF316758039517BE5F935B6744EA98D8213E4B63FA90383FAA2BE8A156A7FDE0BC3B6191405CAEAC3A804943B467C320DF3006622C88D696D368C1118B7D3B21C60B438FA028CCED3DD4607DE0A3EEB5D7CC87CFBB02B53A4926269512505611A44818C2CA9439623DFAC3A819A0E29C51CA9E95D1EB69E9E300A39CEF18880FB4B5DCC32EC85624325340256270191B43B702A3F6EB1E89C88017D9FD4F9DB536D609DBF2CE758ABB85F46FCCEC41B033C09EB49315C6946B3E0470203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604143A9A8507106728B6EFF6BD05416E20C194DA0FDE300D06092A864886F70D01010B0500038201010099DB5D79D5F99759670361F17E3B0631752DA1208E4F6587B4F7A69CBCD8E92FD0DB5AEECF748C73B43842DA057BF80275B8FDA5B1D7AEF6D7DE13CB53107E8A46D197FAB72E2B11AB90B02780F9E89F5AE9379FABE4DF6CB385179D3DD9244F799135D65F04EB8083AB9A022DB510F4D890C7047340ED7225A0A99FEC9EAB68129957C68F123A09A4BD44FD061537C19BE432A3ED38E8D864F32C7E14FC02EA9FCDFF076817DB2290382D7A8DD154F169E35F33CA7A3D7B0AE3CA7F5F39E5E275BAC5761833CE2CF02F4CADF7B1E7CE4FA8C49B4A5406C57F7DD5080FE21CFE7E17B8AC5EF6D416B243090C4DF6A76BB4998465CA7A88E2E244BE5CF7EA1CF5
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:delete keyName:(default)
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001400000001000000140000003A9A8507106728B6EFF6BD05416E20C194DA0FDE53000000010000002500000030233021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000003560E45B41E46B8F36537025D1D5BC02D9652A10645B0EFF69E8B6A52191F33503000000010000001400000047BEABC922EAE80E78783462A79F45C254FDE68B19000000010000001000000021D008B47B7A2A81C8435903DED424C90B000000010000005200000047006F00200044006100640064007900200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020001320200047003200000062000000010000002000000045140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA1D000000010000001000000070253FBCBDE32A014D38C1993098AD992000000001000000C9030000308203C5308202ADA003020102020100300D06092A864886F70D01010B0500308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BF716208F1FA5934F71BC918A3F7804958E9228313A6C52043013B84F1E685499F27EAF6841B4EA0B4DB7098C73201B1053E074EEEF4FA4F2F593022E7AB19566BE28007FCF316758039517BE5F935B6744EA98D8213E4B63FA90383FAA2BE8A156A7FDE0BC3B6191405CAEAC3A804943B467C320DF3006622C88D696D368C1118B7D3B21C60B438FA028CCED3DD4607DE0A3EEB5D7CC87CFBB02B53A4926269512505611A44818C2CA9439623DFAC3A819A0E29C51CA9E95D1EB69E9E300A39CEF18880FB4B5DCC32EC85624325340256270191B43B702A3F6EB1E89C88017D9FD4F9DB536D609DBF2CE758ABB85F46FCCEC41B033C09EB49315C6946B3E0470203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604143A9A8507106728B6EFF6BD05416E20C194DA0FDE300D06092A864886F70D01010B0500038201010099DB5D79D5F99759670361F17E3B0631752DA1208E4F6587B4F7A69CBCD8E92FD0DB5AEECF748C73B43842DA057BF80275B8FDA5B1D7AEF6D7DE13CB53107E8A46D197FAB72E2B11AB90B02780F9E89F5AE9379FABE4DF6CB385179D3DD9244F799135D65F04EB8083AB9A022DB510F4D890C7047340ED7225A0A99FEC9EAB68129957C68F123A09A4BD44FD061537C19BE432A3ED38E8D864F32C7E14FC02EA9FCDFF076817DB2290382D7A8DD154F169E35F33CA7A3D7B0AE3CA7F5F39E5E275BAC5761833CE2CF02F4CADF7B1E7CE4FA8C49B4A5406C57F7DD5080FE21CFE7E17B8AC5EF6D416B243090C4DF6A76BB4998465CA7A88E2E244BE5CF7EA1CF5
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:2796BAE63F1801E277261BA0D77770028F20EEE4
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:writeName:Blob
Value:
04000000010000001000000091DE0625ABDAFD32170CBB25172A8467140000000100000014000000D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E309000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703010B000000010000005200000047006F00200044006100640064007900200043006C00610073007300200032002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F00000001000000140000005D82ADB90D5DD3C7E3524F56F787EC53726187760300000001000000140000002796BAE63F1801E277261BA0D77770028F20EEE419000000010000001000000063664B080559A094D10F0A3C5F4F629053000000010000004800000030463021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C03021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C0620000000100000020000000C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE41D000000010000001000000099949D2179811F6B30A8C99C4F6B422620000000010000000404000030820400308202E8A003020102020100300D06092A864886F70D01010505003063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479301E170D3034303632393137303632305A170D3334303632393137303632305A3063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F7269747930820120300D06092A864886F70D01010105000382010D00308201080282010100DE9DD7EA571849A15BEBD75F4886EABEDDFFE4EF671CF46568B35771A05E77BBED9B49E970803D561863086FDAF2CCD03F7F0254225410D8B281D4C0753D4B7FC777C33E78AB1A03B5206B2F6A2BB1C5887EC4BB1EB0C1D845276FAA3758F78726D7D82DF6A917B71F72364EA6173F659892DB2A6E5DA2FE88E00BDE7FE58D15E1EBCB3AD5E212A2132DD88EAF5F123DA0080508B65CA565380445991EA3606074C541A572621B62C51F6F5F1A42BE025165A8AE23186AFC7803A94D7F80C3FAAB5AFCA140A4CA1916FEB2C8EF5E730DEE77BD9AF67998BCB10767A2150DDDA058C6447B0A3E62285FBA41075358CF117E3874C5F8FFB569908F8474EA971BAF020103A381C03081BD301D0603551D0E04160414D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E330818D0603551D230481853081828014D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E3A167A4653063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479820100300C0603551D13040530030101FF300D06092A864886F70D01010505000382010100324BF3B2CA3E91FC12C6A1078C8E77A03306145C901E18F708A63D0A19F98780116E69E4961730FF3491637238EECC1C01A31D9428A431F67AC454D7F6E5315803A2CCCE62DB944573B5BF45C924B5D58202AD2379698DB8B64DCECF4CCA3323E81C88AA9D8B416E16C920E5899ECD3BDA70F77E992620145425AB6E7385E69B219D0A6C820EA8F8C20CFA101E6C96EF870DC40F618BADEE832B95F88E92847239EB20EA83ED83CD976E08BCEB4E26B6732BE4D3F64CFE2671E26111744AFF571A870F75482ECF516917A002126195D5D140B2104CEEC4AC1043A6A59E0AD595629A0DCF8882C5320CE42B9F45E60D9F289CB1B92A5A57AD370FAF1D7FDBBD9F
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:delete keyName:(default)
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:writeName:Blob
Value:
5C000000010000000400000000080000140000000100000014000000D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E309000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703010B000000010000005200000047006F00200044006100640064007900200043006C00610073007300200032002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F00000001000000140000005D82ADB90D5DD3C7E3524F56F787EC53726187760300000001000000140000002796BAE63F1801E277261BA0D77770028F20EEE419000000010000001000000063664B080559A094D10F0A3C5F4F629053000000010000004800000030463021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C03021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C0620000000100000020000000C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE41D000000010000001000000099949D2179811F6B30A8C99C4F6B422620000000010000000404000030820400308202E8A003020102020100300D06092A864886F70D01010505003063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479301E170D3034303632393137303632305A170D3334303632393137303632305A3063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F7269747930820120300D06092A864886F70D01010105000382010D00308201080282010100DE9DD7EA571849A15BEBD75F4886EABEDDFFE4EF671CF46568B35771A05E77BBED9B49E970803D561863086FDAF2CCD03F7F0254225410D8B281D4C0753D4B7FC777C33E78AB1A03B5206B2F6A2BB1C5887EC4BB1EB0C1D845276FAA3758F78726D7D82DF6A917B71F72364EA6173F659892DB2A6E5DA2FE88E00BDE7FE58D15E1EBCB3AD5E212A2132DD88EAF5F123DA0080508B65CA565380445991EA3606074C541A572621B62C51F6F5F1A42BE025165A8AE23186AFC7803A94D7F80C3FAAB5AFCA140A4CA1916FEB2C8EF5E730DEE77BD9AF67998BCB10767A2150DDDA058C6447B0A3E62285FBA41075358CF117E3874C5F8FFB569908F8474EA971BAF020103A381C03081BD301D0603551D0E04160414D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E330818D0603551D230481853081828014D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E3A167A4653063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479820100300C0603551D13040530030101FF300D06092A864886F70D01010505000382010100324BF3B2CA3E91FC12C6A1078C8E77A03306145C901E18F708A63D0A19F98780116E69E4961730FF3491637238EECC1C01A31D9428A431F67AC454D7F6E5315803A2CCCE62DB944573B5BF45C924B5D58202AD2379698DB8B64DCECF4CCA3323E81C88AA9D8B416E16C920E5899ECD3BDA70F77E992620145425AB6E7385E69B219D0A6C820EA8F8C20CFA101E6C96EF870DC40F618BADEE832B95F88E92847239EB20EA83ED83CD976E08BCEB4E26B6732BE4D3F64CFE2671E26111744AFF571A870F75482ECF516917A002126195D5D140B2104CEEC4AC1043A6A59E0AD595629A0DCF8882C5320CE42B9F45E60D9F289CB1B92A5A57AD370FAF1D7FDBBD9F
Executable files
2
Suspicious files
19
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Crude.milbinary
MD5:AB4C8622A7B22AB6825928F84EB63886
SHA256:3F50E83B486CD8E17ED6E16C50ED9B3486E2F83C532088F6A515A6A26DBDCC8C
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Reviewer.milbinary
MD5:2C3AF039D94CD4CC0D459B4E1D8CF022
SHA256:54236C83E2FEA0DC74FE8916E3D2269C5FA4051D0D9A73E21F2AA03B2E2BAAF1
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Ear.miltext
MD5:B62BCDF30FDE368200C898C65793D237
SHA256:6D73768D2D05E4F68942DCE1643E2E3D5EF6C1D931DEE46214B13AD4EE3D7FE8
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Chubby.milbinary
MD5:1CAC9201CA91583CB6144A20EB2D74AA
SHA256:3F68244B6F734EB9C9CB9AA77C0534BF1D286E87AC158E672B5034CB5B568C6D
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Traditions.milbinary
MD5:04B5C96CF455605D1FF48DCB6EEFB35C
SHA256:03DF99B155C6C3DD2751B0667C28D6A86633E9F2B9C2867204818337508205E4
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Jokes.milbinary
MD5:566096E5DB04144692A2C6042988FD23
SHA256:14B06FB00857FCE8CAD8FE606B1FEEC6B2A0A979BBA4BFE07616F95CAAC4ECA8
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Domestic.milbinary
MD5:86929424419499384CDB52CCCD9DA189
SHA256:056C1E6570CADE3CF722C71D2D262E119B7E70AE4AFA55D2F7E97B97BDF72E65
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Notices.miltext
MD5:71E73DFB983CF2046D8A294859605C96
SHA256:122304D6AC83245ACF0720E3AE0A80497E0D10081DCC527204AE98A6B7E035BB
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Times.milbinary
MD5:6055B90C008AD139616A285D214D16EC
SHA256:7F644A9AC610F1E17D9CF069FE62AA059D9330DC225F219A3698F7E275EE486A
6480extrac32.exeC:\Users\admin\AppData\Local\Temp\Structuresbinary
MD5:806471A88606935424D8882548EFBE08
SHA256:CCFEF48485FF4B54EF1F21EC20396587C8B7EE2B43C2BEBFDB0C5C93F27FB495
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
30
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.98:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
304
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5864
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5864
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.98:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.98
  • 2.16.164.89
  • 2.16.164.25
  • 2.16.164.32
  • 2.16.164.40
  • 2.16.164.58
  • 2.16.164.83
  • 2.16.164.24
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.38.73.129
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.2
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.129
  • 20.190.159.4
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
hxFnFEkTIppoPl.hxFnFEkTIppoPl
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tropiscbs .live)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (topographky .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (geographys .run)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (biosphxere .digital)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cartograhphy .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (woodpeckersd .run)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (climatologfy .top)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vigorbridgoe .top)
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-2-s1 .binance .org)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe