File name:

Setup.exe

Full analysis: https://app.any.run/tasks/69abf821-9a30-4437-a330-625a4e3ca4b7
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 10:57:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E28AB1071050F6EE9A257587B6B244DE

SHA1:

6BAE00F5F74FF236E4D742A3D3006AAE9A731E04

SHA256:

00A1BBA91463D839DD39FF68CF8827B35D4A84AEFF36759B75D2BA511B93D107

SSDEEP:

49152:GDG72pDXggx+EOUqizOXwWA+NH2Ze/Us6jI487rOrnFZOhq2vpHQRhRfYot5pCue:OpDgg8YYwWA2Hqe//6jIT7rCnEqoarnG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Procurement.com (PID: 7512)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Actions looks like stealing of personal data

      • Procurement.com (PID: 7512)

    • LUMMA mutex has been found

      • Procurement.com (PID: 7512)

    • Steals credentials from Web Browsers

      • Procurement.com (PID: 7512)

    • Executing a file with an untrusted certificate

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)
      • NLSvc.exe (PID: 8112)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7816)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 7552)

    • Executing commands from a ".bat" file

      • Setup.exe (PID: 7552)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 7552)
      • cmd.exe (PID: 7608)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Get information on the list of running processes

      • cmd.exe (PID: 7608)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7608)

    • Application launched itself

      • cmd.exe (PID: 7608)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7608)

    • The executable file from the user directory is run by the CMD process

      • Procurement.com (PID: 7512)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7608)

    • There is functionality for taking screenshot (YARA)

      • Setup.exe (PID: 7552)
      • Procurement.com (PID: 7512)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)

    • Searches for installed software

      • Procurement.com (PID: 7512)

    • Executable content was dropped or overwritten

      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Executes application which crashes

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Adds/modifies Windows certificates

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Connects to unusual port

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7848)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)
      • NLSvc.exe (PID: 8112)

    • Reads the computer name

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Process checks computer location settings

      • Setup.exe (PID: 7552)

    • Create files in a temporary directory

      • Setup.exe (PID: 7552)
      • extrac32.exe (PID: 6480)
      • Procurement.com (PID: 7512)

    • Creates a new folder

      • cmd.exe (PID: 7364)

    • Reads mouse settings

      • Procurement.com (PID: 7512)

    • Reads the software policy settings

      • Procurement.com (PID: 7512)
      • slui.exe (PID: 7732)
      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Compiled with Borland Delphi (YARA)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Creates files in the program directory

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Auto-launch of the file from Registry key

      • reg.exe (PID: 7816)

    • Reads the machine GUID from the registry

      • KBFLAHE44V66OIVU4VNTV.exe (PID: 660)

    • Manual execution by a user

      • NLSvc.exe (PID: 8112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
30
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start setup.exe no specs cmd.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA procurement.com choice.exe no specs kbflahe44v66oivu4vntv.exe slui.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs reg.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs nlsvc.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Users\admin\AppData\Local\Temp\KBFLAHE44V66OIVU4VNTV.exe"C:\Users\admin\AppData\Local\Temp\KBFLAHE44V66OIVU4VNTV.exe
Procurement.com
User:
admin
Integrity Level:
MEDIUM
Version:
5.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\kbflahe44v66oivu4vntv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2096choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6264cmd /c copy /b ..\Times.mil + ..\Chubby.mil + ..\Traditions.mil + ..\Reviewer.mil + ..\Domestic.mil + ..\Crude.mil + ..\Jokes.mil + ..\Ear.mil E C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6480extrac32 /Y /E Holly.milC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7084C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7196C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 552C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7240C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 580C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7256C:\WINDOWS\SysWOW64\WerFault.exe -u -p 660 -s 552C:\Windows\SysWOW64\WerFault.exeKBFLAHE44V66OIVU4VNTV.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7364cmd /c md 469997C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 055
Read events
8 034
Write events
9
Delete events
12

Modification events

(PID) Process:(7816) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:NLSvc
Value:
C:\ProgramData\NLSvc.exe
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:47BEABC922EAE80E78783462A79F45C254FDE68B
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:writeName:Blob
Value:
040000000100000010000000803ABC22C1E6FB8D9B3B274A321B9A011400000001000000140000003A9A8507106728B6EFF6BD05416E20C194DA0FDE53000000010000002500000030233021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000003560E45B41E46B8F36537025D1D5BC02D9652A10645B0EFF69E8B6A52191F33503000000010000001400000047BEABC922EAE80E78783462A79F45C254FDE68B19000000010000001000000021D008B47B7A2A81C8435903DED424C90B000000010000005200000047006F00200044006100640064007900200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020001320200047003200000062000000010000002000000045140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA1D000000010000001000000070253FBCBDE32A014D38C1993098AD992000000001000000C9030000308203C5308202ADA003020102020100300D06092A864886F70D01010B0500308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BF716208F1FA5934F71BC918A3F7804958E9228313A6C52043013B84F1E685499F27EAF6841B4EA0B4DB7098C73201B1053E074EEEF4FA4F2F593022E7AB19566BE28007FCF316758039517BE5F935B6744EA98D8213E4B63FA90383FAA2BE8A156A7FDE0BC3B6191405CAEAC3A804943B467C320DF3006622C88D696D368C1118B7D3B21C60B438FA028CCED3DD4607DE0A3EEB5D7CC87CFBB02B53A4926269512505611A44818C2CA9439623DFAC3A819A0E29C51CA9E95D1EB69E9E300A39CEF18880FB4B5DCC32EC85624325340256270191B43B702A3F6EB1E89C88017D9FD4F9DB536D609DBF2CE758ABB85F46FCCEC41B033C09EB49315C6946B3E0470203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604143A9A8507106728B6EFF6BD05416E20C194DA0FDE300D06092A864886F70D01010B0500038201010099DB5D79D5F99759670361F17E3B0631752DA1208E4F6587B4F7A69CBCD8E92FD0DB5AEECF748C73B43842DA057BF80275B8FDA5B1D7AEF6D7DE13CB53107E8A46D197FAB72E2B11AB90B02780F9E89F5AE9379FABE4DF6CB385179D3DD9244F799135D65F04EB8083AB9A022DB510F4D890C7047340ED7225A0A99FEC9EAB68129957C68F123A09A4BD44FD061537C19BE432A3ED38E8D864F32C7E14FC02EA9FCDFF076817DB2290382D7A8DD154F169E35F33CA7A3D7B0AE3CA7F5F39E5E275BAC5761833CE2CF02F4CADF7B1E7CE4FA8C49B4A5406C57F7DD5080FE21CFE7E17B8AC5EF6D416B243090C4DF6A76BB4998465CA7A88E2E244BE5CF7EA1CF5
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:delete keyName:(default)
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B
Operation:writeName:Blob
Value:
5C0000000100000004000000000800001400000001000000140000003A9A8507106728B6EFF6BD05416E20C194DA0FDE53000000010000002500000030233021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000200000003560E45B41E46B8F36537025D1D5BC02D9652A10645B0EFF69E8B6A52191F33503000000010000001400000047BEABC922EAE80E78783462A79F45C254FDE68B19000000010000001000000021D008B47B7A2A81C8435903DED424C90B000000010000005200000047006F00200044006100640064007900200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F00720069007400790020001320200047003200000062000000010000002000000045140B3247EB9CC8C5B4F0D7B53091F73292089E6E5A63E2749DD3ACA9198EDA1D000000010000001000000070253FBCBDE32A014D38C1993098AD992000000001000000C9030000308203C5308202ADA003020102020100300D06092A864886F70D01010B0500308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A308183310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C65311A3018060355040A1311476F44616464792E636F6D2C20496E632E3131302F06035504031328476F20446164647920526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BF716208F1FA5934F71BC918A3F7804958E9228313A6C52043013B84F1E685499F27EAF6841B4EA0B4DB7098C73201B1053E074EEEF4FA4F2F593022E7AB19566BE28007FCF316758039517BE5F935B6744EA98D8213E4B63FA90383FAA2BE8A156A7FDE0BC3B6191405CAEAC3A804943B467C320DF3006622C88D696D368C1118B7D3B21C60B438FA028CCED3DD4607DE0A3EEB5D7CC87CFBB02B53A4926269512505611A44818C2CA9439623DFAC3A819A0E29C51CA9E95D1EB69E9E300A39CEF18880FB4B5DCC32EC85624325340256270191B43B702A3F6EB1E89C88017D9FD4F9DB536D609DBF2CE758ABB85F46FCCEC41B033C09EB49315C6946B3E0470203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604143A9A8507106728B6EFF6BD05416E20C194DA0FDE300D06092A864886F70D01010B0500038201010099DB5D79D5F99759670361F17E3B0631752DA1208E4F6587B4F7A69CBCD8E92FD0DB5AEECF748C73B43842DA057BF80275B8FDA5B1D7AEF6D7DE13CB53107E8A46D197FAB72E2B11AB90B02780F9E89F5AE9379FABE4DF6CB385179D3DD9244F799135D65F04EB8083AB9A022DB510F4D890C7047340ED7225A0A99FEC9EAB68129957C68F123A09A4BD44FD061537C19BE432A3ED38E8D864F32C7E14FC02EA9FCDFF076817DB2290382D7A8DD154F169E35F33CA7A3D7B0AE3CA7F5F39E5E275BAC5761833CE2CF02F4CADF7B1E7CE4FA8C49B4A5406C57F7DD5080FE21CFE7E17B8AC5EF6D416B243090C4DF6A76BB4998465CA7A88E2E244BE5CF7EA1CF5
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:2796BAE63F1801E277261BA0D77770028F20EEE4
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:writeName:Blob
Value:
04000000010000001000000091DE0625ABDAFD32170CBB25172A8467140000000100000014000000D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E309000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703010B000000010000005200000047006F00200044006100640064007900200043006C00610073007300200032002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F00000001000000140000005D82ADB90D5DD3C7E3524F56F787EC53726187760300000001000000140000002796BAE63F1801E277261BA0D77770028F20EEE419000000010000001000000063664B080559A094D10F0A3C5F4F629053000000010000004800000030463021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C03021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C0620000000100000020000000C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE41D000000010000001000000099949D2179811F6B30A8C99C4F6B422620000000010000000404000030820400308202E8A003020102020100300D06092A864886F70D01010505003063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479301E170D3034303632393137303632305A170D3334303632393137303632305A3063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F7269747930820120300D06092A864886F70D01010105000382010D00308201080282010100DE9DD7EA571849A15BEBD75F4886EABEDDFFE4EF671CF46568B35771A05E77BBED9B49E970803D561863086FDAF2CCD03F7F0254225410D8B281D4C0753D4B7FC777C33E78AB1A03B5206B2F6A2BB1C5887EC4BB1EB0C1D845276FAA3758F78726D7D82DF6A917B71F72364EA6173F659892DB2A6E5DA2FE88E00BDE7FE58D15E1EBCB3AD5E212A2132DD88EAF5F123DA0080508B65CA565380445991EA3606074C541A572621B62C51F6F5F1A42BE025165A8AE23186AFC7803A94D7F80C3FAAB5AFCA140A4CA1916FEB2C8EF5E730DEE77BD9AF67998BCB10767A2150DDDA058C6447B0A3E62285FBA41075358CF117E3874C5F8FFB569908F8474EA971BAF020103A381C03081BD301D0603551D0E04160414D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E330818D0603551D230481853081828014D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E3A167A4653063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479820100300C0603551D13040530030101FF300D06092A864886F70D01010505000382010100324BF3B2CA3E91FC12C6A1078C8E77A03306145C901E18F708A63D0A19F98780116E69E4961730FF3491637238EECC1C01A31D9428A431F67AC454D7F6E5315803A2CCCE62DB944573B5BF45C924B5D58202AD2379698DB8B64DCECF4CCA3323E81C88AA9D8B416E16C920E5899ECD3BDA70F77E992620145425AB6E7385E69B219D0A6C820EA8F8C20CFA101E6C96EF870DC40F618BADEE832B95F88E92847239EB20EA83ED83CD976E08BCEB4E26B6732BE4D3F64CFE2671E26111744AFF571A870F75482ECF516917A002126195D5D140B2104CEEC4AC1043A6A59E0AD595629A0DCF8882C5320CE42B9F45E60D9F289CB1B92A5A57AD370FAF1D7FDBBD9F
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:delete keyName:(default)
Value:
(PID) Process:(660) KBFLAHE44V66OIVU4VNTV.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
Operation:writeName:Blob
Value:
5C000000010000000400000000080000140000000100000014000000D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E309000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B060105050703010B000000010000005200000047006F00200044006100640064007900200043006C00610073007300200032002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F00000001000000140000005D82ADB90D5DD3C7E3524F56F787EC53726187760300000001000000140000002796BAE63F1801E277261BA0D77770028F20EEE419000000010000001000000063664B080559A094D10F0A3C5F4F629053000000010000004800000030463021060B6086480186FD6D0107170330123010060A2B0601040182373C0101030200C03021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C0620000000100000020000000C3846BF24B9E93CA64274C0EC67C1ECC5E024FFCACD2D74019350E81FE546AE41D000000010000001000000099949D2179811F6B30A8C99C4F6B422620000000010000000404000030820400308202E8A003020102020100300D06092A864886F70D01010505003063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479301E170D3034303632393137303632305A170D3334303632393137303632305A3063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F7269747930820120300D06092A864886F70D01010105000382010D00308201080282010100DE9DD7EA571849A15BEBD75F4886EABEDDFFE4EF671CF46568B35771A05E77BBED9B49E970803D561863086FDAF2CCD03F7F0254225410D8B281D4C0753D4B7FC777C33E78AB1A03B5206B2F6A2BB1C5887EC4BB1EB0C1D845276FAA3758F78726D7D82DF6A917B71F72364EA6173F659892DB2A6E5DA2FE88E00BDE7FE58D15E1EBCB3AD5E212A2132DD88EAF5F123DA0080508B65CA565380445991EA3606074C541A572621B62C51F6F5F1A42BE025165A8AE23186AFC7803A94D7F80C3FAAB5AFCA140A4CA1916FEB2C8EF5E730DEE77BD9AF67998BCB10767A2150DDDA058C6447B0A3E62285FBA41075358CF117E3874C5F8FFB569908F8474EA971BAF020103A381C03081BD301D0603551D0E04160414D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E330818D0603551D230481853081828014D2C4B0D291D44C1171B361CB3DA1FEDDA86AD4E3A167A4653063310B30090603550406130255533121301F060355040A131854686520476F2044616464792047726F75702C20496E632E3131302F060355040B1328476F20446164647920436C61737320322043657274696669636174696F6E20417574686F72697479820100300C0603551D13040530030101FF300D06092A864886F70D01010505000382010100324BF3B2CA3E91FC12C6A1078C8E77A03306145C901E18F708A63D0A19F98780116E69E4961730FF3491637238EECC1C01A31D9428A431F67AC454D7F6E5315803A2CCCE62DB944573B5BF45C924B5D58202AD2379698DB8B64DCECF4CCA3323E81C88AA9D8B416E16C920E5899ECD3BDA70F77E992620145425AB6E7385E69B219D0A6C820EA8F8C20CFA101E6C96EF870DC40F618BADEE832B95F88E92847239EB20EA83ED83CD976E08BCEB4E26B6732BE4D3F64CFE2671E26111744AFF571A870F75482ECF516917A002126195D5D140B2104CEEC4AC1043A6A59E0AD595629A0DCF8882C5320CE42B9F45E60D9F289CB1B92A5A57AD370FAF1D7FDBBD9F
Executable files
2
Suspicious files
19
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Holly.milcompressed
MD5:2898AD6E43FD03C8E1D5611572FE3881
SHA256:4F75BA8ED94450B7C33EA19922680C639A494A1169F7B8DAA3000E42C147DC4D
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Reviewer.milbinary
MD5:2C3AF039D94CD4CC0D459B4E1D8CF022
SHA256:D6D98F13801D03A29A9C82CF400FA4F24C36DB925C1EDFDC816D572CB7CC5B65
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Domestic.milbinary
MD5:86929424419499384CDB52CCCD9DA189
SHA256:056C1E6570CADE3CF722C71D2D262E119B7E70AE4AFA55D2F7E97B97BDF72E65
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Chubby.milbinary
MD5:1CAC9201CA91583CB6144A20EB2D74AA
SHA256:3F68244B6F734EB9C9CB9AA77C0534BF1D286E87AC158E672B5034CB5B568C6D
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Crude.milbinary
MD5:AB4C8622A7B22AB6825928F84EB63886
SHA256:ED631FB5B5C732F658257E68A2D9F2072537477A8771A14924B662886AB05CA0
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Notices.miltext
MD5:71E73DFB983CF2046D8A294859605C96
SHA256:122304D6AC83245ACF0720E3AE0A80497E0D10081DCC527204AE98A6B7E035BB
7552Setup.exeC:\Users\admin\AppData\Local\Temp\Jokes.milbinary
MD5:566096E5DB04144692A2C6042988FD23
SHA256:14B06FB00857FCE8CAD8FE606B1FEEC6B2A0A979BBA4BFE07616F95CAAC4ECA8
6480extrac32.exeC:\Users\admin\AppData\Local\Temp\Loggedbinary
MD5:A92AE1CB812B803C457DC58C5349B569
SHA256:21A11BF79FAC6082E92A32D9AF2A56B280089993D2D4BD0EC5AD463FF37B4341
6480extrac32.exeC:\Users\admin\AppData\Local\Temp\Stewartbinary
MD5:383005B1BEFB2CD4372B525A2CCD4D83
SHA256:2988B6FF8CC4ABBC33F49A1FB1E7AD5BD15812F612DE1D6F1EA60C0CAC694183
6480extrac32.exeC:\Users\admin\AppData\Local\Temp\Swingbinary
MD5:0E3F848E82ECD7D7755E92A34288CF9D
SHA256:26002EB37563E05F8724B11BF20E6B60D0B690CC680854E694FBBB0EF4F67A70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
30
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.98:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
304
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5864
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5864
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.98:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.98
  • 2.16.164.89
  • 2.16.164.25
  • 2.16.164.32
  • 2.16.164.40
  • 2.16.164.58
  • 2.16.164.83
  • 2.16.164.24
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.38.73.129
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.2
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.129
  • 40.126.31.129
  • 20.190.159.4
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
hxFnFEkTIppoPl.hxFnFEkTIppoPl
unknown
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tropiscbs .live)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (topographky .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (geographys .run)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (biosphxere .digital)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cartograhphy .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (woodpeckersd .run)
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (climatologfy .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vigorbridgoe .top)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-2-s1 .binance .org)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe