File name:

lua.exe

Full analysis: https://app.any.run/tasks/ffda043a-607c-4e9f-9057-bb42ff252b90
Verdict: Malicious activity
Analysis date: March 29, 2025, 20:19:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fragtor
lockscreen
winlocker
antivm
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

9B511D21129DD10EC89077C4673FD078

SHA1:

0BE3D945799AD2582136C00EBB03100ACCB7C19B

SHA256:

14CF8B9B5A40DA306472AF47095DDAE9741D543C9EA1C33CCAD089EA4E0F65EC

SSDEEP:

49152:Xg/q1q56N/+X1YQ/Lbv8quQ6+IIgg4KgVjiZHMwmG9x:Sq1q560Xh/LWQ6VIgg2V8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FRAGTOR mutex has been found

      • lua.exe (PID: 7780)

    • Adds path to the Windows Defender exclusion list

      • lua.exe (PID: 7780)

    • Changes Windows Defender settings

      • lua.exe (PID: 7780)

    • Disables Windows Defender

      • lua.exe (PID: 7780)

    • Changes the autorun value in the registry

      • lua.exe (PID: 7780)

    • UAC/LUA settings modification

      • lua.exe (PID: 7780)

    • Changes image file execution options

      • lua.exe (PID: 7780)

    • Disables the Find the Start menu

      • lua.exe (PID: 7780)

    • Disables the Run the Start menu

      • lua.exe (PID: 7780)

    • Disables the Shutdown in the Start menu

      • lua.exe (PID: 7780)

    • Disables the LogOff the Start menu

      • lua.exe (PID: 7780)

    • WINLOCKER has been detected (YARA)

      • lua.exe (PID: 7780)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • lua.exe (PID: 7780)

    • Script adds exclusion path to Windows Defender

      • lua.exe (PID: 7780)

    • Starts POWERSHELL.EXE for commands execution

      • lua.exe (PID: 7780)

    • Starts CMD.EXE for commands execution

      • lua.exe (PID: 7780)

    • There is functionality for taking screenshot (YARA)

      • lua.exe (PID: 7780)

    • There is functionality for VM detection VMWare (YARA)

      • lua.exe (PID: 7780)

    • There is functionality for VM detection VirtualBox (YARA)

      • lua.exe (PID: 7780)

    • Creates file in the systems drive root

      • lua.exe (PID: 7780)

  • INFO

    • Checks supported languages

      • lua.exe (PID: 7780)

    • Reads the computer name

      • lua.exe (PID: 7780)

    • Process checks computer location settings

      • lua.exe (PID: 7780)

    • Create files in a temporary directory

      • lua.exe (PID: 7780)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7932)

    • Compiled with Borland Delphi (YARA)

      • lua.exe (PID: 7780)
      • slui.exe (PID: 7276)

    • Checks proxy server information

      • slui.exe (PID: 7276)

    • Reads the software policy settings

      • slui.exe (PID: 7276)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (94.6)
.exe | Win32 Executable Delphi generic (2)
.scr | Windows screen saver (1.8)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1172992
InitializedDataSize: 184832
UninitializedDataSize: -
EntryPoint: 0x11f5b8
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FRAGTOR lua.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs searchapp.exe no specs slui.exe lua.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7388"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
2147945463
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
7624"C:\Users\admin\AppData\Local\Temp\lua.exe" C:\Users\admin\AppData\Local\Temp\lua.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\lua.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7780"C:\Users\admin\AppData\Local\Temp\lua.exe" C:\Users\admin\AppData\Local\Temp\lua.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\lua.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7888"C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\admin\AppData\Local\Temp\lua.exe" /rl HIGHEST /fC:\Windows\System32\cmd.exelua.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
7896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7932"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\lua.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exelua.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7944\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 060
Read events
11 026
Write events
34
Delete events
0

Modification events

(PID) Process:(7780) lua.exeKey:HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:DisableCMD
Value:
2
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Qwe
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe
Operation:writeName:Debugger
Value:
C:\Users\admin\AppData\Local\Temp\lua.exe
(PID) Process:(7780) lua.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
Operation:writeName:Debugger
Value:
"cmd.exe","C:\Users\admin\AppData\Local\Temp\lua.exe"
Executable files
0
Suspicious files
5
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7780lua.exe\Device\Harddisk0\DR0
MD5:
SHA256:
7780lua.exeC:\Users\admin\AppData\Local\Temp\Time.initext
MD5:EB13B7EAF7F30D348E471F0907B31AAC
SHA256:94BA214735774FB4E68BE906C3E181D29C71DBBCD10540E70BA7021FCF5EA3AA
7932powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gouqthug.xos.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7932powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxcannq3.cv0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7780lua.exeC:\RestInPiss.dlltext
MD5:7BD75571D3A08F413BB0727D7ECBAF7A
SHA256:5EDC53221D1A70D8238CBF9A557F1C52B166A94A9364E24AB92525B9F4F81E43
7780lua.exeC:\Windows\Logs\waasmediccapsule\WaasRemediation.001.etlbinary
MD5:44CB3A81495A4F03B71F581D0F3F501E
SHA256:471440EC5FF7A658F48011DF3AF0F14C9B621B685EA4E00ED735E22AE458682B
7780lua.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:B183D5DD218915F3563388B74EF75EED
SHA256:2F2D9669E2B9BC6CC05AC281535FA2F690DA35B37927D906D187656C719DFCB9
7780lua.exeC:\Users\admin\AppData\Local\Temp\Time2.initext
MD5:1281E7CD37295F4793D7C2A89768C0DC
SHA256:1FA21D9E19BF83DD68505165FEC38E46263B582FF8E3D582ADD57C756210B8FA
7932powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5F0ED4BBBA12272DCC437A7E47DD8C07
SHA256:7610C9991B0BA6F5046CEB2D8C75D51AE3C0DB4C672F3658EB3F14B262383612
7780lua.exeC:\Windows\appcompat\Programs\Amcache.hve.LOG1binary
MD5:BCE94E1C0D92EC8C88F5851E5B8B1F78
SHA256:4139440928846EB0CF78C3CF416DE512E0116E6028306E37A241122F3A160CA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
24
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7616
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7276
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lua.exe