File name:

Lunelior Setup.exe

Full analysis: https://app.any.run/tasks/fa068ee8-bada-41b0-8bd8-3bced6adfa6e
Verdict: Malicious activity
Analysis date: February 26, 2025, 16:41:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

B92B986FFE4992A34241B07599A0B9CF

SHA1:

0ED92CA7EB4AF672F3CB4FFDE2309CC328969ABB

SHA256:

29343058F7CA76D213D3D9178530003724AF44A5704CBE9A035888C02EF7D79C

SSDEEP:

393216:sppG3sXquPYAAi7ahDZfpMsbAzDb3CrOliYvg46ZuqRvM4m3KELKY1xnlqlBv0kF:Yxgxifs0zD756ZuH/3KELdA/vZHNZsk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Lunelior Setup.exe (PID: 6656)

    • Get information on the list of running processes

      • Lunelior Setup.exe (PID: 6656)
      • cmd.exe (PID: 6540)

    • Starts CMD.EXE for commands execution

      • Lunelior Setup.exe (PID: 6656)
      • Core Framework Setup.exe (PID: 2908)

    • Process drops legitimate windows executable

      • Lunelior Setup.exe (PID: 6656)

    • Drops 7-zip archiver for unpacking

      • Lunelior Setup.exe (PID: 6656)

    • Executable content was dropped or overwritten

      • Lunelior Setup.exe (PID: 6656)

    • Reads security settings of Internet Explorer

      • Lunelior Setup.exe (PID: 6656)

    • The process creates files with name similar to system file names

      • Lunelior Setup.exe (PID: 6656)

    • Creates a software uninstall entry

      • Lunelior Setup.exe (PID: 6656)

    • Application launched itself

      • Core Framework Setup.exe (PID: 2908)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 456)
      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 736)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3768)
      • cmd.exe (PID: 456)
      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 3804)

  • INFO

    • Checks supported languages

      • Lunelior Setup.exe (PID: 6656)
      • Core Framework Setup.exe (PID: 2908)
      • Core Framework Setup.exe (PID: 6248)
      • Core Framework Setup.exe (PID: 6456)

    • The sample compiled with english language support

      • Lunelior Setup.exe (PID: 6656)

    • Reads the computer name

      • Lunelior Setup.exe (PID: 6656)
      • Core Framework Setup.exe (PID: 2908)
      • Core Framework Setup.exe (PID: 6456)
      • Core Framework Setup.exe (PID: 6248)

    • Creates files or folders in the user directory

      • Lunelior Setup.exe (PID: 6656)
      • Core Framework Setup.exe (PID: 2908)

    • Manual execution by a user

      • Core Framework Setup.exe (PID: 2908)

    • Create files in a temporary directory

      • Lunelior Setup.exe (PID: 6656)

    • Reads product name

      • Core Framework Setup.exe (PID: 2908)

    • Reads Environment values

      • Core Framework Setup.exe (PID: 2908)

    • Reads the machine GUID from the registry

      • Core Framework Setup.exe (PID: 2908)

    • Checks proxy server information

      • Core Framework Setup.exe (PID: 2908)
      • slui.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: -
FileVersion: 2.0.0
LegalCopyright: Copyright © 2025 Core Framework Setup
ProductName: Core Framework Setup
ProductVersion: 2.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lunelior setup.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs core framework setup.exe no specs core framework setup.exe no specs cmd.exe no specs core framework setup.exe no specs conhost.exe no specs powershell.exe no specs slui.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -Command "(Get-CimInstance Win32_Processor).NumberOfLogicalProcessors""C:\Windows\System32\cmd.exeCore Framework Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
736C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -Command "(Get-CimInstance Win32_Processor).Manufacturer""C:\Windows\System32\cmd.exeCore Framework Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1056tasklist /FI "USERNAME eq admin" /FI "IMAGENAME eq Core Framework Setup.exe" /FO csv C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2040C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -Command "(Get-CimInstance Win32_Processor).NumberOfCores""C:\Windows\System32\cmd.exeCore Framework Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2140C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -Command "(Get-CimInstance Win32_Processor).Name""C:\Windows\System32\cmd.exeCore Framework Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2152powershell -NoProfile -Command "(Get-CimInstance Win32_ComputerSystem).Model"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2552powershell -NoProfile -Command "(Get-CimInstance Win32_Processor).Name"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
2852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
33 118
Read events
33 107
Write events
11
Delete events
0

Modification events

(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Programs\core-framework-setup
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:ShortcutName
Value:
Core Framework Setup
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:DisplayName
Value:
Core Framework Setup 2.0.0
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\core-framework-setup\Uninstall Core Framework Setup.exe" /currentuser
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Programs\core-framework-setup\Uninstall Core Framework Setup.exe" /currentuser /S
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:DisplayVersion
Value:
2.0.0
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Programs\core-framework-setup\Core Framework Setup.exe,0
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:NoModify
Value:
1
(PID) Process:(6656) Lunelior Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1dc6b84c-73e4-5a5a-ad34-8b81f2bddd3a
Operation:writeName:NoRepair
Value:
1
Executable files
21
Suspicious files
126
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\app-64.7z
MD5:
SHA256:
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\7z-out\icudtl.dat
MD5:
SHA256:
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\7z-out\LICENSE.electron.txttext
MD5:4D42118D35941E0F664DDDBD83F633C5
SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\nsis7z.dllexecutable
MD5:80E44CE4895304C6A3A831310FBF8CD0
SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\nsExec.dllexecutable
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2
SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\StdUtils.dllexecutable
MD5:C6A6E03F77C313B267498515488C5740
SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\SpiderBanner.dllexecutable
MD5:17309E33B596BA3A5693B4D3E85CF8D7
SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
6656Lunelior Setup.exeC:\Users\admin\AppData\Local\Temp\nsk100B.tmp\7z-out\chrome_100_percent.pakbinary
MD5:83EC43F2AF9FC52025F3F807B185D424
SHA256:A659EE9EB38636F85F5336587C578FB29740D3EFFAFF9B92852C8A210E92978C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
26
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
780
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
780
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2040
backgroundTaskHost.exe
20.223.35.26:443
fd.api.iris.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
780
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
780
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
780
SIHClient.exe
20.3.187.198:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.68
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.128
  • 20.190.159.2
  • 40.126.31.2
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.177
  • 104.126.37.170
  • 104.126.37.123
  • 104.126.37.176
  • 104.126.37.160
  • 104.126.37.162
  • 104.126.37.179
  • 104.126.37.186
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Lunelior Setup.exe